diff --git a/bin/enrich_with_yara.py b/bin/enrich_with_yara.py index 4711b4c18..a72800fad 100644 --- a/bin/enrich_with_yara.py +++ b/bin/enrich_with_yara.py @@ -1,6 +1,7 @@ import argparse import os import yaml +import re # Parse command-line arguments parser = argparse.ArgumentParser() @@ -18,6 +19,15 @@ {"type": "sysmon_hash_block", "value": base_url + "detections/sysmon/sysmon_config_vulnerable_hashes_block.xml"} ] +# Define YARA rules files +yara_rules_files = [ + "yara-rules_mal_drivers_strict.yar", + "yara-rules_vuln_drivers_strict_renamed.yar", + "yara-rules_vuln_drivers.yar", + "yara-rules_mal_drivers.yar", + "yara-rules_vuln_drivers_strict.yar" +] + # Loop through each YAML file in the directory for file_name in os.listdir('yaml'): if file_name.endswith('.yaml') or file_name.endswith('.yml'): @@ -31,13 +41,23 @@ updated = False for entry in yaml_data['KnownVulnerableSamples']: sha256 = entry.get('SHA256') - if sha256: - yara_file_path = os.path.join('detections/yara', f'{sha256}.yara') - if os.path.exists(yara_file_path): - updated = True - if args.verbose: - print(f"Updating file: {file_path}") - yaml_data['Detection'].append({"type": "yara_signature", "value": base_url + yara_file_path}) + if sha256: + for yara_file_name in yara_rules_files: + yara_file_path = os.path.join('detections/yara', yara_file_name) + + # Load YARA rules from the file + with open(yara_file_path, 'r') as f: + yara_rules = f.read() + + # Check if a rule exists for the specific sample + if re.search(f'{sha256}', yara_rules): + yara_link = {"type": "yara_signature", "value": base_url + yara_file_path} + if yara_link not in yaml_data['Detection']: + updated = True + if args.verbose: + print(f"Updating file: {file_path}") + yaml_data['Detection'].append(yara_link) + break # Add specific sigma and sysmon rules to detections yaml_data['Detection'].extend(sigma_rules) @@ -47,4 +67,3 @@ if updated: with open(file_path, 'w') as f: yaml.dump(yaml_data, f, sort_keys=False) - diff --git a/detections/yara/yara-rules_mal_drivers.yar b/detections/yara/yara-rules_mal_drivers.yar index 6217db182..e3eb325c7 100644 --- a/detections/yara/yara-rules_mal_drivers.yar +++ b/detections/yara/yara-rules_mal_drivers.yar @@ -1,4 +1,182 @@ +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAFA { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9" + hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" + hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25" + hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09" + hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b" + hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b" + hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9" + hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15" + hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff" + hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" + hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a" + hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2" + hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd" + hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b" + hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19" + hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878" + hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" + hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a" + hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85" + hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715" + hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec" + hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d" + hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0740 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" + hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7" + hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab" + hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895" + hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8" + hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870" + hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2" + hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7" + hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" + hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" + hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736" + hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3" + hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe" + hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a" + hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_3CA5 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1" + hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524" + hash = "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37" + hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3" + hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f" + hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919" + hash = "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905" + hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f" + hash = "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa" + hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e" + hash = "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55" + hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db" + hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a" + hash = "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de" + hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263" + hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987" + hash = "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a" + hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778" + hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1" + hash = "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe" + hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2" + hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06" + hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167" + hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c" + hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5" + hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4" + hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0" + hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576" + hash = "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908" + hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b" + hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da" + hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0" + hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254" + hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719" + hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" + hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96" + hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601" + hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59" + hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f" + hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000320030002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_07BE { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af" + hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f" + hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7" + hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac" + hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80" + hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434" + hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4" + hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392" + hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021" + hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" + hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c" + hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" + hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" + hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad" + hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" + hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E6F7 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - windbg.sys" @@ -21,7 +199,7 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E hash = "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77" hash = "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5" hash = "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ @@ -37,6 +215,116 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E } +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_26BE { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47" + hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be" + hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968" + hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96" + hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550" + hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a" + hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6" + hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c" + hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93" + hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb" + hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266" + hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231" + hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925" + hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653" + hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c" + hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc" + hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd" + hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7" + hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac" + hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4" + hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38" + hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" + hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475" + hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" + hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb" + hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7" + hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972" + hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" + hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12" + hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f" + hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_06DD { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8" + hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" + hash = "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35" + hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa" + hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1" + hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0" + hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112" + hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" + hash = "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a" + hash = "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03" + hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212" + hash = "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66" + hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1" + hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310034002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" + hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D9A { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_4.sys" @@ -46,7 +334,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D hash = "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e" hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -62,6 +350,30 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D } +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_28F5 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" + hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" + hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_96BF { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios.sys" @@ -69,7 +381,7 @@ rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsyste reference = "https://github.com/magicsword-io/LOLDrivers" hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ @@ -91,7 +403,7 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */ @@ -112,7 +424,7 @@ rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ @@ -134,7 +446,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -156,7 +468,7 @@ rule MAL_Driver_Sensecorp_7F45 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -176,7 +488,7 @@ rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004b00650072006e0065006c00200045007800650063007500740069007600650020004d006f00640075006c0065 } /* FileDescription WindowsKernelExecutiveModule */ @@ -198,7 +510,7 @@ rule MAL_Driver_Sensecorp_42B2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -211,13 +523,32 @@ rule MAL_Driver_Sensecorp_42B2 { } +rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" + date = "2023-07-31" + score = 70 + strings: + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F6C3 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053006500720076006500720020004e006500740077006f0072006b0020006400720069007600650072 } /* FileDescription ServerNetworkdriver */ @@ -233,35 +564,13 @@ rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_200F { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ - condition: - all of them -} - - rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_6908 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -283,7 +592,7 @@ rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ @@ -297,3 +606,20 @@ rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { condition: all of them } + + +rule MAL_Driver_773B { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d002000320030003100370020 } /* LegalCopyright Copyrightc */ + condition: + all of them +} diff --git a/detections/yara/yara-rules_mal_drivers_strict.yar b/detections/yara/yara-rules_mal_drivers_strict.yar index 1d4c5ee35..5839a882c 100644 --- a/detections/yara/yara-rules_mal_drivers_strict.yar +++ b/detections/yara/yara-rules_mal_drivers_strict.yar @@ -1,4 +1,182 @@ +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAFA { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9" + hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" + hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25" + hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09" + hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b" + hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b" + hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9" + hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15" + hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff" + hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" + hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a" + hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2" + hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd" + hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b" + hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19" + hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878" + hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" + hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a" + hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85" + hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715" + hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec" + hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d" + hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0740 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" + hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7" + hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab" + hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895" + hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8" + hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870" + hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2" + hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7" + hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" + hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" + hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736" + hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3" + hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe" + hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a" + hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_3CA5 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1" + hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524" + hash = "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37" + hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3" + hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f" + hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919" + hash = "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905" + hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f" + hash = "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa" + hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e" + hash = "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55" + hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db" + hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a" + hash = "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de" + hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263" + hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987" + hash = "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a" + hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778" + hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1" + hash = "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe" + hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2" + hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06" + hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167" + hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c" + hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5" + hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4" + hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0" + hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576" + hash = "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908" + hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b" + hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da" + hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0" + hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254" + hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719" + hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" + hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96" + hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601" + hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59" + hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f" + hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000320030002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_07BE { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af" + hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f" + hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7" + hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac" + hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80" + hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434" + hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4" + hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392" + hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021" + hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" + hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c" + hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" + hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" + hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad" + hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" + hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E6F7 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - windbg.sys" @@ -21,7 +199,7 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E hash = "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77" hash = "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5" hash = "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ @@ -37,6 +215,116 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E } +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_26BE { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47" + hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be" + hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968" + hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96" + hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550" + hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a" + hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6" + hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c" + hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93" + hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb" + hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266" + hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231" + hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925" + hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653" + hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c" + hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc" + hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd" + hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7" + hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac" + hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4" + hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38" + hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" + hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475" + hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" + hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb" + hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7" + hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972" + hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" + hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12" + hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f" + hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_06DD { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8" + hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" + hash = "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35" + hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa" + hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1" + hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0" + hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112" + hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" + hash = "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a" + hash = "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03" + hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212" + hash = "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66" + hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1" + hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310034002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" + hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D9A { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_4.sys" @@ -46,7 +334,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D hash = "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e" hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -62,6 +350,30 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D } +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_28F5 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" + hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" + hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_96BF { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios.sys" @@ -69,7 +381,7 @@ rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsyste reference = "https://github.com/magicsword-io/LOLDrivers" hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ @@ -91,7 +403,7 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */ @@ -112,7 +424,7 @@ rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ @@ -134,7 +446,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -156,7 +468,7 @@ rule MAL_Driver_Sensecorp_7F45 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -176,7 +488,7 @@ rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004b00650072006e0065006c00200045007800650063007500740069007600650020004d006f00640075006c0065 } /* FileDescription WindowsKernelExecutiveModule */ @@ -198,7 +510,7 @@ rule MAL_Driver_Sensecorp_42B2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -211,13 +523,32 @@ rule MAL_Driver_Sensecorp_42B2 { } +rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" + date = "2023-07-31" + score = 85 + strings: + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F6C3 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053006500720076006500720020004e006500740077006f0072006b0020006400720069007600650072 } /* FileDescription ServerNetworkdriver */ @@ -233,35 +564,13 @@ rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_200F { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" - date = "2023-07-14" - score = 85 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_6908 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -283,7 +592,7 @@ rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ @@ -297,3 +606,20 @@ rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } + + +rule MAL_Driver_773B { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d002000320030003100370020 } /* LegalCopyright Copyrightc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} diff --git a/detections/yara/yara-rules_vuln_drivers.yar b/detections/yara/yara-rules_vuln_drivers.yar index b39fb4fc8..62c59d946 100644 --- a/detections/yara/yara-rules_vuln_drivers.yar +++ b/detections/yara/yara-rules_vuln_drivers.yar @@ -1,11 +1,121 @@ +rule PUA_VULN_Driver_Novellinc_Novellxtier_EC13 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_5EA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_D807 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7462 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + condition: + all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -27,7 +137,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -50,7 +160,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -73,7 +183,7 @@ rule PUA_VULN_Driver_Yyinc_Dianhu_BB50 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -93,7 +203,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -111,12 +221,14 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -138,11 +250,12 @@ rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_6948 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -171,7 +284,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -187,6 +300,105 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { } +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_8E92 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" + hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" + hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" + hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -194,7 +406,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -217,7 +429,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -239,7 +451,7 @@ rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -262,7 +474,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EE3F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -284,7 +496,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -306,7 +518,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -322,13 +534,35 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { } +rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -346,11 +580,11 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -366,6 +600,39 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_65DE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" + hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" + hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" + hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" + hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" + hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" @@ -373,7 +640,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -395,7 +662,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -417,7 +684,7 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -433,6 +700,54 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_66A2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0B54 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" @@ -440,7 +755,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -456,6 +771,30 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Bsmisys_552F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIx64.sys" @@ -463,7 +802,7 @@ rule PUA_VULN_Driver_Bsmisys_552F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ @@ -486,7 +825,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntam hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -508,7 +847,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -530,7 +869,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -552,7 +891,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -574,18 +913,25 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -607,7 +953,7 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -623,13 +969,37 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F77F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -644,15 +1014,72 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { } -rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_3140 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_47E3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" + hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" - date = "2023-07-14" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ @@ -674,7 +1101,7 @@ rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagno author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -697,7 +1124,7 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E75 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -713,6 +1140,29 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E75 } +rule PUA_VULN_Driver_Novellinc_Novellxtier_E728 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" @@ -721,7 +1171,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -737,34 +1187,6 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_C3E1 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" - hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" - hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" - hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" - hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" - hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - all of them -} - - rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1792 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" @@ -772,8 +1194,9 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -795,10 +1218,15 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -820,7 +1248,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -842,7 +1270,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -864,9 +1292,17 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -888,9 +1324,12 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_2E66 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" + hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - date = "2023-07-14" + hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -911,10 +1350,12 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8D57 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" - date = "2023-07-14" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -936,7 +1377,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -952,6 +1393,38 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 } +rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9521 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -988,7 +1461,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9521 { hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -1012,7 +1485,8 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_4285 { hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2023-07-14" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -1028,6 +1502,30 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_4285 { } +rule PUA_VULN_Driver_Netfiltersys_26D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D682 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -1044,7 +1542,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1066,7 +1564,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_949 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1082,13 +1580,35 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_949 } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1109,7 +1629,7 @@ rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_5A82 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -1131,7 +1651,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1147,13 +1667,61 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { } +rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_B8DE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -1169,13 +1737,60 @@ rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_DD2F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Dell_Dbutil_71FE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1195,10 +1810,13 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" - date = "2023-07-14" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -1214,13 +1832,37 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { } +rule PUA_VULN_Driver_Netfiltersys_7FF8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -1242,7 +1884,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1264,7 +1906,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1280,13 +1922,71 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_F7E0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + all of them +} + + rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -1309,7 +2009,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1332,7 +2032,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1354,7 +2054,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1370,22 +2070,69 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-07-14" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_DAF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them @@ -1398,7 +2145,7 @@ rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -1420,7 +2167,7 @@ rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -1443,7 +2190,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1459,13 +2206,44 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { } +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_405A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1481,6 +2259,28 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" @@ -1489,8 +2289,10 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -1505,41 +2307,13 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_DEEC { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - all of them -} - - rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -1560,7 +2334,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -1576,13 +2350,36 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_003E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1595,13 +2392,35 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1617,13 +2436,36 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_653F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1645,7 +2487,7 @@ rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -1667,9 +2509,13 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - date = "2023-07-14" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1692,7 +2538,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -1708,13 +2554,37 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2023-07-14" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1736,7 +2606,7 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -1757,7 +2627,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1773,13 +2643,38 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_8ED0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -1801,7 +2696,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1823,7 +2718,7 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -1839,13 +2734,36 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { } +rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_A072 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1861,13 +2779,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { } +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1889,7 +2829,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1905,13 +2845,64 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_0F3E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1933,7 +2924,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1948,6 +2939,31 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_6B71 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" @@ -1955,7 +2971,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -1977,7 +2993,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1993,13 +3009,60 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_4C2D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2021,7 +3084,7 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2037,6 +3100,28 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -2044,7 +3129,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2060,13 +3145,39 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 } +rule PUA_VULN_Driver_Novellinc_Novellxtier_1493 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -2088,7 +3199,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2110,7 +3221,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2130,7 +3241,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2152,7 +3263,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2175,7 +3286,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2191,13 +3302,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -2219,7 +3352,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2235,25 +3368,23 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_E0B5 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-07-14" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } @@ -2265,7 +3396,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2283,11 +3414,11 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -2309,7 +3440,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2331,7 +3462,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2353,7 +3484,7 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -2367,13 +3498,35 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F629 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2392,7 +3545,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2414,7 +3567,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2430,13 +3583,57 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + condition: + all of them +} + + rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2452,13 +3649,57 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2474,23 +3715,23 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } -rule PUA_VULN_Driver_Novellinc_Novellxtier_B37B { +rule PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" - date = "2023-07-14" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ condition: all of them } @@ -2502,7 +3743,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2524,7 +3765,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2547,7 +3788,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -2563,13 +3804,36 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D } +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -2591,7 +3855,7 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -2607,13 +3871,37 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi } +rule PUA_VULN_Driver_Novellinc_Novellxtier_D04C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -2631,11 +3919,11 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2657,8 +3945,11 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -2679,7 +3970,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -2702,7 +3993,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_0005 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2724,7 +4015,7 @@ rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -2746,7 +4037,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2762,6 +4053,28 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { } +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -2772,7 +4085,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2795,7 +4108,7 @@ rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_BB11 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -2817,7 +4130,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2833,13 +4146,59 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_1FAC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2855,13 +4214,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { } +rule PUA_VULN_Driver_Netfiltersys_F171 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2884,7 +4265,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2906,7 +4287,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2929,7 +4310,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2951,7 +4332,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2973,7 +4354,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2986,41 +4367,13 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { } -rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_950A { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrOmgDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ - condition: - all of them -} - - rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3044,7 +4397,7 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -3060,23 +4413,45 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_CF31 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - date = "2023-07-14" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: all of them } @@ -3088,7 +4463,7 @@ rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -3110,7 +4485,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3129,7 +4504,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3145,35 +4520,13 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - all of them -} - - rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3195,7 +4548,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3217,7 +4570,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Panca author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3241,7 +4594,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -3257,38 +4610,13 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_2EF7 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" - hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" - hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - all of them -} - - rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -3310,7 +4638,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriv author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -3326,13 +4654,35 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriv } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3354,7 +4704,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3376,7 +4726,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3392,37 +4742,13 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { } -rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_1AAA { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ - condition: - all of them -} - - rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -3444,7 +4770,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3466,7 +4792,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3488,7 +4814,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3512,7 +4838,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3528,13 +4854,35 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3556,7 +4904,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3580,7 +4928,7 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -3598,11 +4946,11 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -3620,11 +4968,11 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3646,7 +4994,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -3669,7 +5017,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -3685,13 +5033,59 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { } +rule PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0C92 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -3713,7 +5107,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -3729,13 +5123,57 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_66F8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3751,13 +5189,35 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3773,13 +5233,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -3800,7 +5282,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3822,7 +5304,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3844,7 +5326,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancaf author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3866,7 +5348,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3888,7 +5370,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3910,7 +5392,7 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -3928,11 +5410,11 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3954,7 +5436,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3978,7 +5460,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_D884 { hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -4001,7 +5483,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_C reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4023,7 +5505,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4045,7 +5527,7 @@ rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandp author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -4067,7 +5549,7 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4084,11 +5566,11 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4104,13 +5586,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { } +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4132,7 +5636,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcoden author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -4154,7 +5658,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4170,45 +5674,23 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { } -rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Novellinc_Novellxtier_CE23 { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - date = "2023-07-14" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: all of them } @@ -4220,7 +5702,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4239,7 +5721,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4255,13 +5737,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -4283,7 +5787,7 @@ rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -4305,7 +5809,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4321,34 +5825,13 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - all of them -} - - rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4370,7 +5853,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4393,7 +5876,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4406,13 +5889,57 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4428,13 +5955,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_E89C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -4456,7 +6027,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -4472,13 +6043,35 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -4500,7 +6093,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4523,7 +6116,7 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4539,13 +6132,35 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -4567,7 +6182,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4583,6 +6198,28 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" @@ -4590,7 +6227,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4606,6 +6243,28 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7E81 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" @@ -4613,7 +6272,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4629,23 +6288,63 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } +rule PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-07-14" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_3F20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ condition: all of them } @@ -4657,7 +6356,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4679,7 +6378,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4695,13 +6394,35 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4723,7 +6444,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4745,7 +6466,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -4767,7 +6488,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4789,7 +6510,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4811,7 +6532,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4827,13 +6548,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4849,13 +6614,57 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4878,7 +6687,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -4900,7 +6709,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -4922,7 +6731,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -4938,13 +6747,35 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -4960,13 +6791,35 @@ rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { } +rule PUA_VULN_Driver_Proxydrvsys_Nn_0B20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4988,7 +6841,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5010,7 +6863,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5032,7 +6885,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5048,13 +6901,36 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5073,7 +6949,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5095,7 +6971,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5117,7 +6993,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5133,6 +7009,50 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -5140,7 +7060,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5156,13 +7076,56 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { } +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5184,7 +7147,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5206,7 +7169,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ @@ -5228,7 +7191,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5250,7 +7213,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5268,11 +7231,11 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5295,7 +7258,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -5311,13 +7274,35 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { } +rule PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5339,7 +7324,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5355,13 +7340,37 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { } +rule PUA_VULN_Driver_Netfiltersys_79E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5383,7 +7392,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5405,7 +7414,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5427,7 +7436,7 @@ rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -5449,7 +7458,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5471,7 +7480,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5487,13 +7496,35 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5515,7 +7546,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5531,13 +7562,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5559,7 +7612,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5581,7 +7634,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5603,7 +7656,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5625,7 +7678,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5647,7 +7700,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -5669,7 +7722,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5691,7 +7744,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5713,7 +7766,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5735,7 +7788,7 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -5750,13 +7803,35 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_1E9C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5772,13 +7847,35 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 } +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5800,7 +7897,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -5822,7 +7919,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5844,7 +7941,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5866,7 +7963,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5885,7 +7982,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5907,7 +8004,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5923,13 +8020,57 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { } +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5945,13 +8086,35 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5967,13 +8130,57 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { } +rule PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5995,7 +8202,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6011,13 +8218,35 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6039,7 +8268,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6055,13 +8284,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -6077,13 +8328,78 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -6105,7 +8421,7 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -6121,13 +8437,57 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito } +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6149,7 +8509,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6171,7 +8531,7 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -6187,35 +8547,13 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit } -rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - all of them -} - - rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6231,13 +8569,35 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -6255,11 +8615,11 @@ rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6275,13 +8635,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { } +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -6303,7 +8685,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6325,7 +8707,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -6347,7 +8729,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6363,13 +8745,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -6391,7 +8795,7 @@ rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -6413,7 +8817,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6429,13 +8833,35 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { } +rule PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -6457,7 +8883,7 @@ rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprov author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -6479,7 +8905,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6501,7 +8927,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ diff --git a/detections/yara/yara-rules_vuln_drivers_strict.yar b/detections/yara/yara-rules_vuln_drivers_strict.yar index e31cfda4f..795ddefea 100644 --- a/detections/yara/yara-rules_vuln_drivers_strict.yar +++ b/detections/yara/yara-rules_vuln_drivers_strict.yar @@ -1,11 +1,121 @@ +rule PUA_VULN_Driver_Novellinc_Novellxtier_EC13 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_5EA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_D807 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7462 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + condition: + uint16(0) == 0x5a4d and filesize < 2900KB and all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -27,7 +137,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -50,7 +160,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -73,7 +183,7 @@ rule PUA_VULN_Driver_Yyinc_Dianhu_BB50 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -93,7 +203,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -111,12 +221,14 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -138,11 +250,12 @@ rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_6948 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -171,7 +284,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -187,6 +300,105 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { } +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_8E92 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" + hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" + hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" + hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -194,7 +406,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -217,7 +429,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -239,7 +451,7 @@ rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -262,7 +474,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EE3F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -284,7 +496,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -306,7 +518,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -322,13 +534,35 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { } +rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -346,11 +580,11 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -366,6 +600,39 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_65DE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" + hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" + hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" + hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" + hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" + hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" @@ -373,7 +640,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -395,7 +662,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -417,7 +684,7 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -433,6 +700,54 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_66A2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0B54 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" @@ -440,7 +755,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -456,6 +771,30 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Bsmisys_552F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIx64.sys" @@ -463,7 +802,7 @@ rule PUA_VULN_Driver_Bsmisys_552F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ @@ -486,7 +825,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntam hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -508,7 +847,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -530,7 +869,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -552,7 +891,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -574,18 +913,25 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -607,7 +953,7 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -623,13 +969,37 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F77F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -644,15 +1014,72 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { } -rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_3140 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" - hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" - date = "2023-07-14" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_47E3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" + hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ @@ -674,7 +1101,7 @@ rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagno author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -697,7 +1124,7 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E75 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -713,6 +1140,29 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E75 } +rule PUA_VULN_Driver_Novellinc_Novellxtier_E728 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" @@ -721,7 +1171,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -737,34 +1187,6 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_C3E1 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" - hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" - hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" - hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" - hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" - hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1792 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" @@ -772,8 +1194,9 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -795,10 +1218,15 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -820,7 +1248,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -842,7 +1270,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -864,9 +1292,17 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -888,9 +1324,12 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_2E66 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" + hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - date = "2023-07-14" + hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -911,10 +1350,12 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8D57 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" - date = "2023-07-14" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -936,7 +1377,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -952,6 +1393,38 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 } +rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9521 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -988,7 +1461,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9521 { hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -1012,7 +1485,8 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_4285 { hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2023-07-14" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -1028,6 +1502,30 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_4285 { } +rule PUA_VULN_Driver_Netfiltersys_26D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D682 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -1044,7 +1542,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1066,7 +1564,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_949 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1082,13 +1580,35 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_949 } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1109,7 +1629,7 @@ rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_5A82 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -1131,7 +1651,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1147,13 +1667,61 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { } +rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_B8DE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -1169,13 +1737,60 @@ rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_DD2F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Dell_Dbutil_71FE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1195,10 +1810,13 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" - date = "2023-07-14" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -1214,13 +1832,37 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { } +rule PUA_VULN_Driver_Netfiltersys_7FF8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -1242,7 +1884,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1264,7 +1906,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1280,13 +1922,71 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_F7E0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -1309,7 +2009,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1332,7 +2032,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1354,7 +2054,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1370,21 +2070,68 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-07-14" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_DAF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: @@ -1398,7 +2145,7 @@ rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -1420,7 +2167,7 @@ rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -1443,7 +2190,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1459,13 +2206,44 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { } +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_405A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1481,6 +2259,28 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" @@ -1489,8 +2289,10 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -1505,41 +2307,13 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_DEEC { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -1560,7 +2334,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -1576,13 +2350,36 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_003E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1595,13 +2392,35 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1617,13 +2436,36 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_653F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1645,7 +2487,7 @@ rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -1667,9 +2509,13 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - date = "2023-07-14" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1692,7 +2538,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -1708,13 +2554,37 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2023-07-14" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1736,7 +2606,7 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -1757,7 +2627,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1773,13 +2643,38 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_8ED0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -1801,7 +2696,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1823,7 +2718,7 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -1839,13 +2734,36 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { } +rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_A072 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1861,13 +2779,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { } +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1889,7 +2829,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1905,13 +2845,64 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_0F3E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1933,7 +2924,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1948,6 +2939,31 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_6B71 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" @@ -1955,7 +2971,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -1977,7 +2993,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1993,13 +3009,60 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_4C2D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2021,7 +3084,7 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2037,6 +3100,28 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -2044,7 +3129,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2060,13 +3145,39 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 } +rule PUA_VULN_Driver_Novellinc_Novellxtier_1493 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -2088,7 +3199,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2110,7 +3221,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2130,7 +3241,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2152,7 +3263,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2175,7 +3286,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2191,13 +3302,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -2219,7 +3352,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2235,25 +3368,23 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_E0B5 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-07-14" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -2265,7 +3396,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2283,11 +3414,11 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -2309,7 +3440,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2331,7 +3462,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2353,7 +3484,7 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -2367,13 +3498,35 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F629 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2392,7 +3545,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2414,7 +3567,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2430,13 +3583,57 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2452,13 +3649,57 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2474,23 +3715,23 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } -rule PUA_VULN_Driver_Novellinc_Novellxtier_B37B { +rule PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" - date = "2023-07-14" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -2502,7 +3743,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2524,7 +3765,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2547,7 +3788,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -2563,13 +3804,36 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D } +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -2591,7 +3855,7 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -2607,13 +3871,37 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi } +rule PUA_VULN_Driver_Novellinc_Novellxtier_D04C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -2631,11 +3919,11 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2657,8 +3945,11 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -2679,7 +3970,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -2702,7 +3993,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_0005 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2724,7 +4015,7 @@ rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -2746,7 +4037,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2758,7 +4049,29 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -2772,7 +4085,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2795,7 +4108,7 @@ rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_BB11 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -2817,7 +4130,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2833,13 +4146,59 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_1FAC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2855,13 +4214,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { } +rule PUA_VULN_Driver_Netfiltersys_F171 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2884,7 +4265,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2906,7 +4287,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2929,7 +4310,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2951,7 +4332,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2973,7 +4354,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2986,41 +4367,13 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { } -rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_950A { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrOmgDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3044,7 +4397,7 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -3060,23 +4413,45 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_CF31 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - date = "2023-07-14" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -3088,7 +4463,7 @@ rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -3110,7 +4485,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3129,7 +4504,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3145,35 +4520,13 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3195,7 +4548,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3217,7 +4570,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Panca author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3241,7 +4594,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -3257,38 +4610,13 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_2EF7 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" - hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" - hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -3310,7 +4638,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriv author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -3326,13 +4654,35 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriv } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3354,7 +4704,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3376,7 +4726,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3392,37 +4742,13 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { } -rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_1AAA { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them -} - - rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -3444,7 +4770,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3466,7 +4792,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3488,7 +4814,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3512,7 +4838,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3528,13 +4854,35 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3556,7 +4904,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3580,7 +4928,7 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -3598,11 +4946,11 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -3620,11 +4968,11 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3646,7 +4994,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -3669,7 +5017,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -3685,13 +5033,59 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { } +rule PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0C92 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -3712,18 +5106,62 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-07-14" + hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_66F8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -3731,11 +5169,11 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3751,13 +5189,35 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3773,13 +5233,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -3800,7 +5282,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3822,7 +5304,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3844,7 +5326,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancaf author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3866,7 +5348,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3888,7 +5370,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3910,7 +5392,7 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -3928,11 +5410,11 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3954,7 +5436,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3978,7 +5460,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_D884 { hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -4001,7 +5483,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_C reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4023,7 +5505,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4045,7 +5527,7 @@ rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandp author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -4067,7 +5549,7 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4084,11 +5566,11 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4104,13 +5586,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { } +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4132,7 +5636,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcoden author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -4154,7 +5658,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4170,45 +5674,23 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { } -rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule PUA_VULN_Driver_Novellinc_Novellxtier_CE23 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - date = "2023-07-14" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -4220,7 +5702,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4239,7 +5721,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4255,13 +5737,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -4283,7 +5787,7 @@ rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -4305,7 +5809,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4321,34 +5825,13 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4370,7 +5853,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4393,7 +5876,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4406,13 +5889,57 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4428,13 +5955,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_E89C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -4456,7 +6027,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -4472,13 +6043,35 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -4500,7 +6093,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4523,7 +6116,7 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4539,13 +6132,35 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -4567,7 +6182,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4583,6 +6198,28 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" @@ -4590,7 +6227,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4606,6 +6243,28 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7E81 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" @@ -4613,7 +6272,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4629,13 +6288,34 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } +rule PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -4647,7 +6327,26 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_3F20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 700KB and all of them } @@ -4657,7 +6356,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4679,7 +6378,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4695,13 +6394,35 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4723,7 +6444,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4745,7 +6466,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -4767,7 +6488,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4789,7 +6510,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4811,7 +6532,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4827,13 +6548,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4849,13 +6614,57 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4878,7 +6687,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -4900,7 +6709,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -4922,7 +6731,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -4938,13 +6747,35 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -4960,13 +6791,35 @@ rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { } +rule PUA_VULN_Driver_Proxydrvsys_Nn_0B20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4988,7 +6841,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5010,7 +6863,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5032,7 +6885,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5048,13 +6901,36 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5073,7 +6949,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5095,7 +6971,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5117,7 +6993,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5133,6 +7009,50 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -5140,7 +7060,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5156,13 +7076,56 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { } +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5184,7 +7147,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5206,7 +7169,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ @@ -5228,7 +7191,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5250,7 +7213,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5268,11 +7231,11 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5295,7 +7258,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -5311,13 +7274,35 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { } +rule PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5339,7 +7324,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5355,13 +7340,37 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { } +rule PUA_VULN_Driver_Netfiltersys_79E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5383,7 +7392,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5405,7 +7414,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5427,7 +7436,7 @@ rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -5449,7 +7458,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5471,7 +7480,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5487,13 +7496,35 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5515,7 +7546,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5531,13 +7562,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5559,7 +7612,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5581,7 +7634,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5603,7 +7656,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5625,7 +7678,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5647,7 +7700,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -5669,7 +7722,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5691,7 +7744,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5713,7 +7766,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5735,7 +7788,7 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -5750,13 +7803,35 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_1E9C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5772,13 +7847,35 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 } +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5800,7 +7897,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -5822,7 +7919,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5844,7 +7941,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5866,7 +7963,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5885,7 +7982,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5907,7 +8004,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5923,13 +8020,57 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { } +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5945,13 +8086,35 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5967,13 +8130,57 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { } +rule PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5995,7 +8202,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6011,13 +8218,35 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6039,7 +8268,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6055,13 +8284,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -6077,13 +8328,78 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -6105,7 +8421,7 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -6121,13 +8437,57 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito } +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6149,7 +8509,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6171,7 +8531,7 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -6187,35 +8547,13 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit } -rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6231,13 +8569,35 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -6255,11 +8615,11 @@ rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6275,13 +8635,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { } +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -6303,7 +8685,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6325,7 +8707,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -6347,7 +8729,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6363,13 +8745,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -6391,7 +8795,7 @@ rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -6413,7 +8817,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6429,13 +8833,35 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { } +rule PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -6457,7 +8883,7 @@ rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprov author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -6479,7 +8905,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6501,7 +8927,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ diff --git a/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar b/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar index 185f5d6de..e4d58dc91 100644 --- a/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +++ b/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar @@ -1,11 +1,121 @@ +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_EC13 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + +rule PUA_VULN_Renamed_Driver_Iobit_Iobitunlockersys_Iobitunlocker_5EA5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_D807 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_7462 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + condition: + uint16(0) == 0x5a4d and filesize < 2900KB and all of them and not filename matches /kEvP64/i +} + + rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -27,7 +137,7 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -50,7 +160,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -73,7 +183,7 @@ rule PUA_VULN_Renamed_Driver_Yyinc_Dianhu_BB50 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -93,7 +203,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -111,12 +221,14 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -128,7 +240,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -138,11 +250,12 @@ rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_6948 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -171,7 +284,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -187,6 +300,105 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { } +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSB/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_8E92 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" + hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" + hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" + hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NCHGBIOS2x64/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -194,7 +406,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -217,7 +429,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -239,7 +451,7 @@ rule PUA_VULN_Renamed_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -262,7 +474,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EE3F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -284,7 +496,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -306,7 +518,7 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -322,13 +534,35 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { } +rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -346,11 +580,11 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -366,6 +600,39 @@ rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_65DE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" + hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" + hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" + hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" + hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" + hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" @@ -373,7 +640,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdr reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -395,7 +662,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -417,7 +684,7 @@ rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -433,6 +700,54 @@ rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_66A2 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_0B54 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" @@ -440,7 +755,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -456,6 +771,30 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /LgDataCatcher/i +} + + rule PUA_VULN_Renamed_Driver_Bsmisys_552F { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIx64.sys" @@ -463,7 +802,7 @@ rule PUA_VULN_Renamed_Driver_Bsmisys_552F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ @@ -486,7 +825,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftat hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -508,7 +847,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3070 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -530,7 +869,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -552,7 +891,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -574,18 +913,25 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -607,7 +953,7 @@ rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -623,13 +969,37 @@ rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_ } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_F77F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -640,25 +1010,82 @@ rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /krpocesshacker/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /kprocesshacker/i } -rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_3140 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" - hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" - date = "2023-07-14" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_47E3 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + +rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" + hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ @@ -674,7 +1101,7 @@ rule PUA_VULN_Renamed_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Leno author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -697,7 +1124,7 @@ rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsy reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -713,6 +1140,29 @@ rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsy } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E728 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" @@ -721,7 +1171,7 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -737,34 +1187,6 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_C3E1 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" - hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" - hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" - hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" - hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" - hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1792 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" @@ -772,8 +1194,9 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddk reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -795,10 +1218,15 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -820,7 +1248,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -842,7 +1270,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -864,9 +1292,17 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -888,9 +1324,12 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_2E66 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" + hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - date = "2023-07-14" + hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -911,10 +1350,12 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_8D57 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" - date = "2023-07-14" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -936,7 +1377,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -952,6 +1393,38 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex } +rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrDrv/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9521 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -988,7 +1461,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9521 { hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -1012,7 +1485,8 @@ rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_4285 { hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2023-07-14" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -1028,6 +1502,30 @@ rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_4285 { } +rule PUA_VULN_Renamed_Driver_Netfiltersys_26D6 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D682 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -1044,7 +1542,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1066,7 +1564,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1082,13 +1580,35 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy } +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7CB5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1109,7 +1629,7 @@ rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_5A82 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -1131,7 +1651,7 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1147,13 +1667,61 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { } +rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_B8DE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /inpout32/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -1169,13 +1737,60 @@ rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_DD2F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + rule PUA_VULN_Renamed_Driver_Dell_Dbutil_71FE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1195,10 +1810,13 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" - date = "2023-07-14" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -1214,13 +1832,37 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { } +rule PUA_VULN_Renamed_Driver_Netfiltersys_7FF8 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -1242,7 +1884,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_C author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1264,7 +1906,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1280,13 +1922,71 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit } +rule PUA_VULN_Renamed_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_F7E0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -1309,7 +2009,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1332,7 +2032,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1354,7 +2054,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1370,13 +2070,60 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_C190 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_DAF5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1398,7 +2145,7 @@ rule PUA_VULN_Renamed_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -1420,7 +2167,7 @@ rule PUA_VULN_Renamed_Driver_Copyright_Advancedmalwareprotection_6F55 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -1443,7 +2190,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1459,13 +2206,44 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D } +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_405A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1481,6 +2259,28 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_AB09 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" @@ -1489,8 +2289,10 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_AB09 { hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -1505,41 +2307,13 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_AB09 { } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_DEEC { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_95D5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -1560,7 +2334,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -1576,13 +2350,36 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_003E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1595,13 +2392,35 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 { } +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1617,13 +2436,36 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_653F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1645,7 +2487,7 @@ rule PUA_VULN_Renamed_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -1667,9 +2509,13 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - date = "2023-07-14" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1692,7 +2538,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -1708,13 +2554,37 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2023-07-14" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1736,7 +2606,7 @@ rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -1757,7 +2627,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1773,13 +2643,38 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { } +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_8ED0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -1801,7 +2696,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1823,7 +2718,7 @@ rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -1839,13 +2734,36 @@ rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB { } +rule PUA_VULN_Renamed_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_A072 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrSetupDrv103/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1861,13 +2779,35 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { } +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vboxguest/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1879,29 +2819,80 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i +} + + +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_0F3E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-07-14" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /netfilter2/i } @@ -1911,7 +2902,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1933,7 +2924,7 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1948,6 +2939,31 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6B71 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" @@ -1955,7 +2971,7 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -1977,7 +2993,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1993,13 +3009,60 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz } +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSBMon/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_4C2D { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2021,7 +3084,7 @@ rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2037,6 +3100,28 @@ rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -2044,7 +3129,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2060,13 +3145,39 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_1493 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -2088,7 +3199,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2110,7 +3221,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2130,7 +3241,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2152,7 +3263,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2175,7 +3286,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2191,13 +3302,35 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -2219,7 +3352,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2235,27 +3368,25 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_E0B5 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-07-14" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } @@ -2265,7 +3396,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2283,11 +3414,11 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -2299,7 +3430,7 @@ rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocke $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IObitUnlocker/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i } @@ -2309,7 +3440,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2331,7 +3462,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2353,7 +3484,7 @@ rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -2367,13 +3498,35 @@ rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_F629 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_45F4 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2392,7 +3545,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2414,7 +3567,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2430,13 +3583,57 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy } +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxTAP/i +} + + rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2452,13 +3649,57 @@ rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B } +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i +} + + +rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrAutoChkUpdDrv_1_0_32/i +} + + rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2474,25 +3715,25 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_B37B { +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" - date = "2023-07-14" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxTAP/i } @@ -2502,7 +3743,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2524,7 +3765,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2547,7 +3788,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -2563,13 +3804,36 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri } +rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i +} + + rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -2591,7 +3855,7 @@ rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmems author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -2607,13 +3871,37 @@ rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmems } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_D04C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -2631,11 +3919,11 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 { rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2647,7 +3935,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -2657,8 +3945,11 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6C71 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -2679,7 +3970,7 @@ rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -2702,7 +3993,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_00 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2724,7 +4015,7 @@ rule PUA_VULN_Renamed_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -2746,7 +4037,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2758,7 +4049,29 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -2772,7 +4085,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2795,7 +4108,7 @@ rule PUA_VULN_Renamed_Driver_Huawei_Hwosec_Huaweimatebook_BB11 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -2817,7 +4130,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2833,13 +4146,59 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { } +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i +} + + +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_1FAC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i +} + + rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2851,7 +4210,29 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Netfiltersys_F171 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i } @@ -2861,7 +4242,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2884,7 +4265,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2906,7 +4287,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2929,7 +4310,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5F reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2951,7 +4332,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2973,7 +4354,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2986,41 +4367,13 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { } -rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_950A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrOmgDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrOmgDrv/i -} - - rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3044,7 +4397,7 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0 hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -3060,25 +4413,47 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0 } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_CF31 { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - date = "2023-07-14" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i +} + + +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NICM/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i } @@ -3088,7 +4463,7 @@ rule PUA_VULN_Renamed_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -3110,7 +4485,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_2BBC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3129,7 +4504,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F1 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3145,35 +4520,13 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F1 } -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rzpnk/i -} - - rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3195,7 +4548,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3217,7 +4570,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxs author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3241,7 +4594,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Window hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -3257,38 +4610,13 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Window } -rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_2EF7 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" - hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" - hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -3310,7 +4638,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -3326,13 +4654,35 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserve } +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3354,7 +4704,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3376,7 +4726,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3392,37 +4742,13 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { } -rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_1AAA { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /kEvP64/i -} - - rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -3434,7 +4760,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -3444,7 +4770,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3466,7 +4792,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3488,7 +4814,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3512,7 +4838,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3528,13 +4854,35 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3556,7 +4904,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3580,7 +4928,7 @@ rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_ hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -3598,11 +4946,11 @@ rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -3614,17 +4962,17 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3646,7 +4994,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_4 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -3669,7 +5017,7 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -3681,61 +5029,151 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hw/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hw/i +} + + +rule PUA_VULN_Renamed_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atillk64/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_0C92 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIO/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-07-14" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_66F8 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-07-14" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3751,13 +5189,35 @@ rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { } +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i +} + + rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3773,13 +5233,35 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -3800,7 +5282,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3822,7 +5304,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3844,7 +5326,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3866,7 +5348,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3888,7 +5370,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3910,7 +5392,7 @@ rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -3928,11 +5410,11 @@ rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3954,7 +5436,7 @@ rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3978,7 +5460,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdrive hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -4001,7 +5483,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4023,7 +5505,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4045,7 +5527,7 @@ rule PUA_VULN_Renamed_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalme author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -4067,7 +5549,7 @@ rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4084,11 +5566,11 @@ rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B { rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4100,7 +5582,29 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i } @@ -4110,7 +5614,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4132,7 +5636,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windo author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -4154,7 +5658,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4170,47 +5674,25 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { } -rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i -} - - -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_CE23 { +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - date = "2023-07-14" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i } @@ -4220,7 +5702,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_3C18 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4239,7 +5721,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4255,13 +5737,35 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -4283,7 +5787,7 @@ rule PUA_VULN_Renamed_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -4305,7 +5809,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4321,34 +5825,13 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_8E88 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i -} - - rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4370,7 +5853,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4393,7 +5876,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4406,13 +5889,57 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO64I/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4428,13 +5955,57 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E89C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -4456,7 +6027,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_P author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -4472,13 +6043,35 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_P } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -4500,7 +6093,7 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4523,7 +6116,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4539,13 +6132,35 @@ rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF } +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -4567,7 +6182,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4583,6 +6198,28 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { } +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" @@ -4590,7 +6227,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4606,6 +6243,28 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { } +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7E81 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" @@ -4613,7 +6272,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4625,7 +6284,28 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6CF1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } @@ -4635,7 +6315,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -4651,13 +6331,32 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B } +rule PUA_VULN_Renamed_Driver_3F20 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 700KB and all of them and not filename matches /pchunter/i +} + + rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4679,7 +6378,7 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4695,13 +6394,35 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4723,7 +6444,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4745,7 +6466,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -4767,7 +6488,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4789,7 +6510,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4811,7 +6532,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4827,13 +6548,57 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4849,13 +6614,57 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit } +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSBMon/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4878,7 +6687,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_47EA { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -4900,7 +6709,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -4922,7 +6731,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -4938,13 +6747,35 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -4960,13 +6791,35 @@ rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 { } +rule PUA_VULN_Renamed_Driver_Proxydrvsys_Nn_0B20 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ProxyDrv/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4988,7 +6841,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5010,7 +6863,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5032,7 +6885,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5048,13 +6901,36 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { } +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_9A95 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5073,7 +6949,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5095,7 +6971,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5117,7 +6993,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5133,6 +7009,50 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LgCoreTemp/i +} + + rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -5140,7 +7060,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5156,13 +7076,56 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_7A2C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5184,7 +7147,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5206,7 +7169,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ @@ -5228,7 +7191,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5250,7 +7213,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5268,11 +7231,11 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5284,7 +7247,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -5295,7 +7258,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -5311,13 +7274,35 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD { } +rule PUA_VULN_Renamed_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /titidrv/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5339,7 +7324,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5355,13 +7340,37 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 } +rule PUA_VULN_Renamed_Driver_Netfiltersys_79E7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5383,7 +7392,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5405,7 +7414,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5427,7 +7436,7 @@ rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochku author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -5449,7 +7458,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5471,7 +7480,7 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5487,13 +7496,35 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyve } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5515,7 +7546,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5531,13 +7562,35 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5559,7 +7612,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5581,7 +7634,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5603,7 +7656,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5625,7 +7678,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9254 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5647,7 +7700,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -5669,7 +7722,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5691,7 +7744,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5713,7 +7766,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5735,7 +7788,7 @@ rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -5746,7 +7799,29 @@ rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_1E9C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i } @@ -5756,7 +7831,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5772,13 +7847,35 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri } +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5800,7 +7897,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddk author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -5822,7 +7919,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5844,7 +7941,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5866,7 +7963,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_8FE9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5885,7 +7982,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5907,7 +8004,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5923,13 +8020,57 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { } +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i +} + + +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vboxguest/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5945,13 +8086,35 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5967,13 +8130,57 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { } +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxMouseNT/i +} + + +rule PUA_VULN_Renamed_Driver_Proxydrvsys_Nn_C0E7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /ProxyDrv/i +} + + rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5995,7 +8202,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6011,13 +8218,35 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6039,7 +8268,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6055,13 +8284,35 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { } +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -6077,13 +8328,78 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { } +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow8x64/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_CA34 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -6105,7 +8421,7 @@ rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -6121,13 +8437,57 @@ rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceve } +rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6149,7 +8509,7 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_372 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6171,7 +8531,7 @@ rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardware author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -6187,35 +8547,13 @@ rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardware } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i -} - - rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6231,13 +8569,35 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri } +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i +} + + rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -6255,11 +8615,11 @@ rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B { rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6271,7 +8631,29 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSB/i } @@ -6281,7 +8663,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfor author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -6303,7 +8685,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6325,7 +8707,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -6347,7 +8729,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6363,13 +8745,35 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -6391,7 +8795,7 @@ rule PUA_VULN_Renamed_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -6413,7 +8817,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6429,13 +8833,35 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { } +rule PUA_VULN_Renamed_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LgDCatcher/i +} + + rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -6457,7 +8883,7 @@ rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemser author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -6479,7 +8905,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6501,7 +8927,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ diff --git a/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml b/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml index 94cd54510..faa82f23a 100644 --- a/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml +++ b/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 0258df5c-c3c1-4ed5-ba8f-846d91526ffe KnownVulnerableSamples: - Authentihash: diff --git a/yaml/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f.yaml b/yaml/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f.yaml index 593fe296f..0d5eeb094 100644 --- a/yaml/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f.yaml +++ b/yaml/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/043773c5-120a-4c6b-8485-8f1f5c47fd3e.yml b/yaml/043773c5-120a-4c6b-8485-8f1f5c47fd3e.yml index ededcd28a..0ad4c87d1 100644 --- a/yaml/043773c5-120a-4c6b-8485-8f1f5c47fd3e.yml +++ b/yaml/043773c5-120a-4c6b-8485-8f1f5c47fd3e.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: aswArPot.sys MD5: c61876aaca6ce822be18adb9d9bd4260 diff --git a/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml b/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml index d861855da..ce05dae30 100644 --- a/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml +++ b/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 04d377f9-36e0-42a4-8d47-62232163dc68 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/0567c6c4-282f-406f-9369-7f876b899c25.yml b/yaml/0567c6c4-282f-406f-9369-7f876b899c25.yml index fb154cc04..a04e35204 100644 --- a/yaml/0567c6c4-282f-406f-9369-7f876b899c25.yml +++ b/yaml/0567c6c4-282f-406f-9369-7f876b899c25.yml @@ -94,6 +94,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: procexp.Sys MD5: e6cb1728c50bd020e531d19a14904e1c diff --git a/yaml/080a834f-3e19-4cae-b940-a4ecf901db28.yaml b/yaml/080a834f-3e19-4cae-b940-a4ecf901db28.yaml index b7b7491fe..93fb19b6f 100644 --- a/yaml/080a834f-3e19-4cae-b940-a4ecf901db28.yaml +++ b/yaml/080a834f-3e19-4cae-b940-a4ecf901db28.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 080a834f-3e19-4cae-b940-a4ecf901db28 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml b/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml index 82965761c..b0c5e5ee6 100644 --- a/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml +++ b/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 080ff223-f8e0-49c0-a7b5-e97349cf81a0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/0baa833c-e4e1-449e-86ee-cafeb11f5fd5.yaml b/yaml/0baa833c-e4e1-449e-86ee-cafeb11f5fd5.yaml index b4ab315fa..8d9d8da68 100644 --- a/yaml/0baa833c-e4e1-449e-86ee-cafeb11f5fd5.yaml +++ b/yaml/0baa833c-e4e1-449e-86ee-cafeb11f5fd5.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 0baa833c-e4e1-449e-86ee-cafeb11f5fd5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/0e3b0052-18c7-4c8b-a064-a1332df07af2.yaml b/yaml/0e3b0052-18c7-4c8b-a064-a1332df07af2.yaml index 45e5f7cb4..fa16c4d60 100644 --- a/yaml/0e3b0052-18c7-4c8b-a064-a1332df07af2.yaml +++ b/yaml/0e3b0052-18c7-4c8b-a064-a1332df07af2.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 0e3b0052-18c7-4c8b-a064-a1332df07af2 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/0e8da43d-92e0-43f9-bc34-50a7d15b34bd.yml b/yaml/0e8da43d-92e0-43f9-bc34-50a7d15b34bd.yml index ce5669725..11e6c1d22 100644 --- a/yaml/0e8da43d-92e0-43f9-bc34-50a7d15b34bd.yml +++ b/yaml/0e8da43d-92e0-43f9-bc34-50a7d15b34bd.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: Michael Alfaro Handle: '@_mmpte_software' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: etdsupp.sys MD5: a92bf3c219a5fa82087b6c31bdf36ff3 diff --git a/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml b/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml index 01bac3c1c..8737792c1 100644 --- a/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml +++ b/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 0f59ce3b-20ac-41ba-8010-2abc74827eb8 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/0f8e317e-ad2b-4b02-9f96-603bb8d28604.yaml b/yaml/0f8e317e-ad2b-4b02-9f96-603bb8d28604.yaml index dd6b335a2..94766fe61 100644 --- a/yaml/0f8e317e-ad2b-4b02-9f96-603bb8d28604.yaml +++ b/yaml/0f8e317e-ad2b-4b02-9f96-603bb8d28604.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 0f8e317e-ad2b-4b02-9f96-603bb8d28604 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/10b1fc3d-c444-4885-8ca9-4b5891885507.yml b/yaml/10b1fc3d-c444-4885-8ca9-4b5891885507.yml index ee7d1b4f8..ec4ff9a4e 100644 --- a/yaml/10b1fc3d-c444-4885-8ca9-4b5891885507.yml +++ b/yaml/10b1fc3d-c444-4885-8ca9-4b5891885507.yml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: atillk64.sys MD5: 27d21eeff199ed555a29ca0ea4453cfb diff --git a/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml b/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml index cbbb3c49c..155d7eabc 100644 --- a/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml +++ b/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 127cde1d-905e-4c67-a2c3-04ea4deaea7d KnownVulnerableSamples: - Authentihash: diff --git a/yaml/13637210-2e1c-45a4-9f76-fe38c3c34264.yml b/yaml/13637210-2e1c-45a4-9f76-fe38c3c34264.yml index 863f41924..e7d0c79bc 100644 --- a/yaml/13637210-2e1c-45a4-9f76-fe38c3c34264.yml +++ b/yaml/13637210-2e1c-45a4-9f76-fe38c3c34264.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: HpPortIox64.sys MD5: 7b9e1e5e8ff4f18f84108bb9f7b5d108 diff --git a/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml b/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml index fcc64693b..0a9a84419 100644 --- a/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml +++ b/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 137daca4-0d7b-48aa-8574-f7eb6ad02526 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/13973a71-412f-4a18-a2a6-476d3853f8de.yml b/yaml/13973a71-412f-4a18-a2a6-476d3853f8de.yml index 68c2c866a..d79c34a03 100644 --- a/yaml/13973a71-412f-4a18-a2a6-476d3853f8de.yml +++ b/yaml/13973a71-412f-4a18-a2a6-476d3853f8de.yml @@ -17,7 +17,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AMDRyzenMasterDriver.sys MD5: f16b44cca74d3c3645e4c0a6bb5c0cb9 diff --git a/yaml/16d8962b-cf96-432f-8a43-d41f06828f56.yaml b/yaml/16d8962b-cf96-432f-8a43-d41f06828f56.yaml new file mode 100644 index 000000000..af4198000 --- /dev/null +++ b/yaml/16d8962b-cf96-432f-8a43-d41f06828f56.yaml @@ -0,0 +1,6878 @@ +Id: 16d8962b-cf96-432f-8a43-d41f06828f56 +Author: Nasreddine Bencherchali +Created: '2023-05-06' +MitreID: T1068 +Category: vulnerable driver +Verified: 'TRUE' +Commands: + Command: sc.exe create cpuz.sys binPath=C:\windows\temp\cpuz.sys type=kernel && + sc.exe start cpuz.sys + Description: '' + Usecase: Elevate privileges + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- Internal Research +Acknowledgement: + Person: '' + Handle: '' +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +KnownVulnerableSamples: +- Filename: cpuz.sys + MD5: a89ca92145fc330adced0dd005421183 + SHA1: e33eac9d3b9b5c0db3db096332f059bf315a2343 + SHA256: 0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f + Authentihash: + MD5: d9d45430dc3fb1c7154c109f9d85d70e + SHA1: 4f52e85725556496f9102bba0fdf9d13f721c675 + SHA256: 90f5962e6b2342eae05dc8f4c34d5291742537248587ccf6ac298691806a4517 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IofCompleteRequest + - ExFreePool + - ExAllocatePoolWithTag + - RtlFreeUnicodeString + - ObfDereferenceObject + - MmIsAddressValid + - IoGetDeviceObjectPointer + - RtlAnsiStringToUnicodeString + - MmUnmapIoSpace + - MmMapIoSpace + - IoCreateSymbolicLink + - IoCreateDevice + - DbgPrint + - RtlUnwind + - KeTickCount + - KeBugCheckEx + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - IoDeleteDevice + - PsGetVersion + - KeInitializeEvent + - IoBuildDeviceIoControlRequest + - IofCallDriver + - KeWaitForSingleObject + - RtlInitAnsiString + - IoCancelIrp + - READ_PORT_USHORT + - READ_PORT_ULONG + - WRITE_PORT_UCHAR + - WRITE_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - READ_PORT_UCHAR + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G3 + ValidFrom: '2012-05-01 00:00:00' + ValidTo: '2012-12-31 23:59:59' + Signature: 1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 79a2a585f9d1154213d9b83ef6b68ded + Version: 3 + TBS: + MD5: e6d820afb23af20a65cf0b03247ea05e + SHA1: 7a8f7c37453f99390ee1e94bb5d3d1cba3a0eea7 + SHA256: 7e722dc40e6b9abf8c20aa4d887e34b6d2c6b8cbe53a055d49bf9f5e946e0d27 + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 573ac9a3fc69d00f19723f196162680e + SHA1: 7e21d51681f265bad20f1db06cd0831b80d4fed2 + SHA256: 79749e2d14cda7629ae1b8bdc88101418cb5a099b93137ea76824b0246209519 + Sections: + .text: + Entropy: 6.222402374512635 + Virtual Size: '0x2780' + .rdata: + Entropy: 4.5251453594439255 + Virtual Size: '0x300' + .data: + Entropy: 0.335842300318532 + Virtual Size: '0x1e0' + INIT: + Entropy: 5.423515041101043 + Virtual Size: '0x404' + .rsrc: + Entropy: 3.3927376128305218 + Virtual Size: '0x350' + .reloc: + Entropy: 5.4807357701963335 + Virtual Size: '0x258' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2012-08-11 01:45:54' +- Filename: cpuz.sys + MD5: 26ce59f9fc8639fd7fed53ce3b785015 + SHA1: 2bf6b88b84d27cdf0699d6d18b08a1b36310cdd1 + SHA256: 11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b + Authentihash: + MD5: 0fef96c1d46145af32eb6993faa6e496 + SHA1: 4d26356a4a48d492b00845a7ac1bb27a92f95871 + SHA256: 0aa61910c3ceb765441c35925a50983b2571ac22da510f1495cf82f078b535b6 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IofCompleteRequest + - ExFreePool + - ExAllocatePoolWithTag + - RtlFreeUnicodeString + - ObfDereferenceObject + - MmIsAddressValid + - IoGetDeviceObjectPointer + - MmUnmapIoSpace + - RtlInitAnsiString + - MmMapIoSpace + - IoCreateSymbolicLink + - IoCreateDevice + - RtlUnwind + - KeTickCount + - KeBugCheckEx + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - IoDeleteDevice + - PsGetVersion + - KeInitializeEvent + - IoBuildDeviceIoControlRequest + - IofCallDriver + - KeWaitForSingleObject + - RtlAnsiStringToUnicodeString + - IoCancelIrp + - READ_PORT_USHORT + - READ_PORT_ULONG + - WRITE_PORT_UCHAR + - WRITE_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - READ_PORT_UCHAR + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 41f15d0f328a165973b49de608ef72a2 + SHA1: abcd9850775bd0a1a855e785a238e0e69525810f + SHA256: 02dc44b04a6426fcaedf26995bfa471f123a90a9c747e82cebaf95f394890631 + Sections: + .text: + Entropy: 6.217408305730309 + Virtual Size: '0x2750' + .rdata: + Entropy: 4.55489113332384 + Virtual Size: '0x2f0' + .data: + Entropy: 0.335842300318532 + Virtual Size: '0x1e0' + INIT: + Entropy: 5.41983369153965 + Virtual Size: '0x3f4' + .rsrc: + Entropy: 3.3927376128305218 + Virtual Size: '0x350' + .reloc: + Entropy: 5.5051908528223255 + Virtual Size: '0x254' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2012-03-09 01:55:45' +- Filename: cpuz.sys + MD5: 75dbd5db9892d7451d0429bec1aabe1a + SHA1: c05df2e56e05b97e3ca8c6a61865cae722ed3066 + SHA256: 19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758 + Authentihash: + MD5: dfb8cce9246e17f356504802d14d019d + SHA1: 189bedcea5ec5bfc724ff44b4b44958dc450c7db + SHA256: 4b5aecfecf26145aadd23f96a1cdfae0bca4e53af215d4bd77bba5dcc5a4479b + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 685a19a8e9f46a76067db83da501dca0 + SHA1: 5f76e4cf5157450837536db016e9981cb41394d2 + SHA256: 1a0c69ff029488d41c7d9413943c28d389016adb26698d9baf02c6f32739d591 + Sections: + .text: + Entropy: 6.207830883313713 + Virtual Size: '0x25d6' + .rdata: + Entropy: 4.172824067374571 + Virtual Size: '0x3ec' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.503621523339014 + Virtual Size: '0xc0' + INIT: + Entropy: 5.076575853289 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3943730160709853 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2012-03-09 01:56:55' +- Filename: cpuz.sys + MD5: fe820a5f99b092c3660762c6fc6c64e0 + SHA1: fad8e308f6d2e6a9cfaf9e6189335126a3c69acb + SHA256: 1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961 + Authentihash: + MD5: 97861c7d308c22f4db08d08ce912fced + SHA1: 368c63d2f393ef65f8107d175174e9eaa13d993e + SHA256: 3966d4b1e4f5442b8507f91b6dbde3523657b47fd2945d990249605727d231ec + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2012 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G3 + ValidFrom: '2012-05-01 00:00:00' + ValidTo: '2012-12-31 23:59:59' + Signature: 1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 79a2a585f9d1154213d9b83ef6b68ded + Version: 3 + TBS: + MD5: e6d820afb23af20a65cf0b03247ea05e + SHA1: 7a8f7c37453f99390ee1e94bb5d3d1cba3a0eea7 + SHA256: 7e722dc40e6b9abf8c20aa4d887e34b6d2c6b8cbe53a055d49bf9f5e946e0d27 + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 685a19a8e9f46a76067db83da501dca0 + SHA1: 5f76e4cf5157450837536db016e9981cb41394d2 + SHA256: 1a0c69ff029488d41c7d9413943c28d389016adb26698d9baf02c6f32739d591 + Sections: + .text: + Entropy: 6.181674969781746 + Virtual Size: '0x2536' + .rdata: + Entropy: 4.160071293394142 + Virtual Size: '0x3d4' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.4970531643346394 + Virtual Size: '0xc0' + INIT: + Entropy: 5.076575853289 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3935766621226473 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2012-10-27 11:24:41' +- Filename: cpuz.sys + MD5: 262969a3fab32b9e17e63e2d17a57744 + SHA1: 363b907c3b4f37968e9c8e1b7eeca5a5c5d530f8 + SHA256: 1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512 + Authentihash: + MD5: 7c8e917e5adba8b20bea898d4b966c6c + SHA1: 570496ebc3c4010b48c3703652fdfcb60352798b + SHA256: 98c86fcf018822289340d248f5e2896c41ad0f284febb741b945312ff40bdfa3 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 685a19a8e9f46a76067db83da501dca0 + SHA1: 5f76e4cf5157450837536db016e9981cb41394d2 + SHA256: 1a0c69ff029488d41c7d9413943c28d389016adb26698d9baf02c6f32739d591 + Sections: + .text: + Entropy: 6.190718841242454 + Virtual Size: '0x2416' + .rdata: + Entropy: 4.183312032190414 + Virtual Size: '0x3ec' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.53594863841985 + Virtual Size: '0xc0' + INIT: + Entropy: 5.076575853289 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3943730160709853 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2010-11-09 06:33:36' +- Filename: cpuz.sys + MD5: 17719a7f571d4cd08223f0b30f71b8b8 + SHA1: f9c916d163b85057414300ca214ebdf751172ecf + SHA256: 1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c + Authentihash: + MD5: 93bf28533aa6e63dc8b80b998b0814af + SHA1: 413ed5609215f4a6cee3b7b357eb594902a817f5 + SHA256: 1399e65aa55c898a6cd5fb32d4b19f5bbaf69c56c1383963c99b7a0804eb0203 + Description: CPUID Driver + Company: Windows (R) Win 7 DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: Windows (R) Win 7 DDK driver + ProductVersion: 6.1.7600.16385 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 89dc670b5f7c06b577deeec9473dc96b + SHA1: af59c00ae531117ba9307257ab945cdf6c8309f6 + SHA256: 35b9d8fc904c88f4df237edc610727f89c415e48bcf135191c43832bb2935ba6 + Sections: + .text: + Entropy: 6.182386482362877 + Virtual Size: '0x2256' + .rdata: + Entropy: 4.258631853520521 + Virtual Size: '0x3d0' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.4326961450392584 + Virtual Size: '0x90' + INIT: + Entropy: 5.067835669413665 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.4148190207283133 + Virtual Size: '0x3d0' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2010-07-09 05:16:58' +- Filename: cpuz.sys + MD5: 21be10f66bb65c1d406407faa0b9ba95 + SHA1: 86e59b17272a3e7d9976c980ded939bf8bf75069 + SHA256: 2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22 + Authentihash: + MD5: 9328ac41d0afb80914780b9474c0bca0 + SHA1: e8f4f4e2a672d845d897f36646d8339597135050 + SHA256: c0ed71b491aec860932fe92e5527ef444d537b396186ac839d5ed0884cfcaf0c + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2014 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA + , G2 + ValidFrom: '2012-12-21 00:00:00' + ValidTo: '2020-12-30 23:59:59' + Signature: 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b + Version: 3 + TBS: + MD5: d0785ad36e427c92b19f6826ab1e8020 + SHA1: 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 + SHA256: c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G4 + ValidFrom: '2012-10-18 00:00:00' + ValidTo: '2020-12-29 23:59:59' + Signature: 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0ecff438c8febf356e04d86a981b1a50 + Version: 3 + TBS: + MD5: e9d38360b914c8863f6cba3ee58764d3 + SHA1: 4cba8eae47b6bf76f20b3504b98b8f062694a89b + SHA256: 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: c046d6f14ec39d2a0f67a417bda83c5e + SHA1: 74661f1063b4c80566f75a1bee22c35f7af17fa9 + SHA256: 440eebbdc09d290724d364056ba4e2725c75759819a6df0a1ed5c876ed7d2474 + Sections: + .text: + Entropy: 6.184959788800412 + Virtual Size: '0x3046' + .rdata: + Entropy: 4.1967199978388665 + Virtual Size: '0x434' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.61540303809267 + Virtual Size: '0xd8' + INIT: + Entropy: 5.133048134973059 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3971374522271924 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2014-10-06 04:26:29' +- Filename: cpuz.sys + MD5: 4885e1bf1971c8fa9e7686fd5199f500 + SHA1: 388068adc9ec46a0bbc8173bcb0d5f9cf8af6ea5 + SHA256: 26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43 + Authentihash: + MD5: 92c5a8d936bb2ef7802aaa15c877e866 + SHA1: 340024982f9ad5c2722bab8cddec9d32f0efdc7c + SHA256: 313a69d8eea6a933cffac0fa67d46ad9aef0815bb579fce7623d9be825888e30 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2013 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA + , G2 + ValidFrom: '2012-12-21 00:00:00' + ValidTo: '2020-12-30 23:59:59' + Signature: 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b + Version: 3 + TBS: + MD5: d0785ad36e427c92b19f6826ab1e8020 + SHA1: 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 + SHA256: c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G4 + ValidFrom: '2012-10-18 00:00:00' + ValidTo: '2020-12-29 23:59:59' + Signature: 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0ecff438c8febf356e04d86a981b1a50 + Version: 3 + TBS: + MD5: e9d38360b914c8863f6cba3ee58764d3 + SHA1: 4cba8eae47b6bf76f20b3504b98b8f062694a89b + SHA256: 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 685a19a8e9f46a76067db83da501dca0 + SHA1: 5f76e4cf5157450837536db016e9981cb41394d2 + SHA256: 1a0c69ff029488d41c7d9413943c28d389016adb26698d9baf02c6f32739d591 + Sections: + .text: + Entropy: 6.189630683612354 + Virtual Size: '0x2c76' + .rdata: + Entropy: 4.1481713750399685 + Virtual Size: '0x414' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.5274875201903875 + Virtual Size: '0xc0' + INIT: + Entropy: 5.076575853289 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3935766621226473 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2013-11-27 03:33:59' +- Filename: cpuz.sys + MD5: ab4ee84e09b09012ac86d3a875af9d43 + SHA1: 3c81cdfd99d91c7c9de7921607be12233ed0dfd8 + SHA256: 2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486 + Authentihash: + MD5: 654f9a768f518e632c99309bd4c1145b + SHA1: a5f086835d7c2883ad8d985772d02a9a8815bcbb + SHA256: d4e93f592a8342b0eb582d24a114348ce40ecb3c1e7b238d731b02e17d5aae7d + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2012 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA + , G2 + ValidFrom: '2012-12-21 00:00:00' + ValidTo: '2020-12-30 23:59:59' + Signature: 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b + Version: 3 + TBS: + MD5: d0785ad36e427c92b19f6826ab1e8020 + SHA1: 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 + SHA256: c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G4 + ValidFrom: '2012-10-18 00:00:00' + ValidTo: '2020-12-29 23:59:59' + Signature: 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0ecff438c8febf356e04d86a981b1a50 + Version: 3 + TBS: + MD5: e9d38360b914c8863f6cba3ee58764d3 + SHA1: 4cba8eae47b6bf76f20b3504b98b8f062694a89b + SHA256: 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 685a19a8e9f46a76067db83da501dca0 + SHA1: 5f76e4cf5157450837536db016e9981cb41394d2 + SHA256: 1a0c69ff029488d41c7d9413943c28d389016adb26698d9baf02c6f32739d591 + Sections: + .text: + Entropy: 6.190388157802366 + Virtual Size: '0x2616' + .rdata: + Entropy: 4.158462162346533 + Virtual Size: '0x3d4' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.501505002731896 + Virtual Size: '0xc0' + INIT: + Entropy: 5.076575853289 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3935766621226473 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2013-05-10 06:42:51' +- Filename: cpuz.sys + MD5: 743c403d20a89db5ed84c874768b7119 + SHA1: dc8fa4648c674e3a7148dd8e8c35f668a3701a52 + SHA256: 2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e + Authentihash: + MD5: 4c2f42ab19a70ee6a2cb936329b34aff + SHA1: 742a9fc918c7bb2b1707412c703d7b7674ed1094 + SHA256: fd8d61102719afb0b8a230d9e8c372af3396bec4a6d72aada42a1f1d36187751 + Description: CPUID Driver + Company: Windows (R) Win 7 DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: Windows (R) Win 7 DDK driver + ProductVersion: 6.1.7600.16385 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - ExFreePoolWithTag + - ExAllocatePoolWithTag + - RtlFreeUnicodeString + - ObfDereferenceObject + - MmIsAddressValid + - IoGetDeviceObjectPointer + - RtlAnsiStringToUnicodeString + - IofCompleteRequest + - MmMapIoSpace + - ProbeForWrite + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - MmUnmapIoSpace + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - IoDeleteDevice + - PsGetVersion + - KeInitializeEvent + - IoBuildDeviceIoControlRequest + - IofCallDriver + - RtlInitAnsiString + - KeWaitForSingleObject + - RtlUnwind + - READ_PORT_USHORT + - READ_PORT_ULONG + - WRITE_PORT_UCHAR + - WRITE_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - READ_PORT_UCHAR + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 4ba73072bea66755a70f3a8c99951424 + SHA1: d9ce039d736544c2d9b7fe44460d8e006a5c62f0 + SHA256: 3b45bc2da9543317e7a22486f86a3f8c0eb289596d1d7661b47e35e99058861f + Sections: + .text: + Entropy: 6.221169838993626 + Virtual Size: '0x2030' + .rdata: + Entropy: 4.564029507184391 + Virtual Size: '0x2ec' + .data: + Entropy: 0.22396935932252834 + Virtual Size: '0x1c0' + INIT: + Entropy: 5.46954214905682 + Virtual Size: '0x3fc' + .rsrc: + Entropy: 3.413813063110847 + Virtual Size: '0x3d0' + .reloc: + Entropy: 5.666994611221042 + Virtual Size: '0x210' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2010-05-11 03:59:25' +- Filename: cpuz.sys + MD5: e0bfbdf3793ea2742c03f5a82cb305a5 + SHA1: a6a71fb4f91080aff2a3a42811b4bd86fb22168d + SHA256: 2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e + Authentihash: + MD5: a85d9912baf9994b0fabf924f6a66e9b + SHA1: 04defcae6548e92ea76bd7069a672a7e1067b995 + SHA256: d1c71a98e10105faa0814fec3544474d86ae0e8f88efd77798a716adad3994a2 + Description: CPUID Driver + Company: Windows (R) Codename Longhorn DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.0.6000.16386 built by: WinDDK' + Product: Windows (R) Codename Longhorn DDK driver + ProductVersion: 6.0.6000.16386 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IoDeleteSymbolicLink + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - RtlAnsiStringToUnicodeString + - RtlFreeUnicodeString + - IoCreateDevice + - IofCallDriver + - IoGetDeviceObjectPointer + - IoBuildDeviceIoControlRequest + - IoDeleteDevice + - ProbeForWrite + - MmMapIoSpace + - KeInitializeEvent + - RtlInitAnsiString + - IofCompleteRequest + - KeWaitForSingleObject + - KeBugCheckEx + - MmUnmapIoSpace + - RtlInitUnicodeString + - PsGetVersion + - RtlUnwindEx + - HalSetBusDataByOffset + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: a4919ba9bce5fa10c0659fe35e106bff + SHA1: c9062199c8b03518cf06dcc7212ff3c1ffbf0452 + SHA256: f6f4beb34371f4eec6c80a94046382a70864524606df3fdcf4d08fe9ddacc1af + Sections: + .text: + Entropy: 6.139220942185034 + Virtual Size: '0x1da6' + .rdata: + Entropy: 4.302697981700664 + Virtual Size: '0x394' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.3507319703399823 + Virtual Size: '0x84' + INIT: + Entropy: 4.945456847123696 + Virtual Size: '0x388' + .rsrc: + Entropy: 3.393742999677783 + Virtual Size: '0x400' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2009-03-07 03:03:14' +- Filename: cpuz.sys + MD5: 22ca5fe8fb0e5e22e6fb0848108c03f4 + SHA1: bec66e0a4842048c25732f7ea2bbe989ea400abf + SHA256: 34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3 + Authentihash: + MD5: b1113bc5a8f67468ae6e0183c60be10a + SHA1: bbea7d9b8672ca30c6a8f49e913f110720d4753c + SHA256: 55e3b977402be076bfafe332a3fb29ddb6b02edf932d02e963df09adbe89eb91 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2017 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - RtlAnsiStringToUnicodeString + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - ExFreePoolWithTag + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: c046d6f14ec39d2a0f67a417bda83c5e + SHA1: 74661f1063b4c80566f75a1bee22c35f7af17fa9 + SHA256: 440eebbdc09d290724d364056ba4e2725c75759819a6df0a1ed5c876ed7d2474 + Sections: + .text: + Entropy: 6.167627326915935 + Virtual Size: '0x4536' + .rdata: + Entropy: 4.195082406902852 + Virtual Size: '0x534' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x440' + .pdata: + Entropy: 3.6289632983036624 + Virtual Size: '0xfc' + INIT: + Entropy: 5.132100585029012 + Virtual Size: '0x40e' + .rsrc: + Entropy: 3.394946071861716 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2017-04-24 05:12:14' +- Filename: cpuz.sys + MD5: 3ab94fba7196e84a97e83b15f7bcb270 + SHA1: bea745b598dd957924d3465ebc04c5b830d5724f + SHA256: 3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf + Authentihash: + MD5: 96c15399e89e9bca402ed660f90e1b98 + SHA1: 1b4335f92c6137f56c8f98e5b79fc7af67af2a24 + SHA256: 55a69f740a77fc07073c3d077d029dfb2dbe4b673171167e7310bd857eb55982 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2013 CPUID + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IofCompleteRequest + - ExFreePool + - ExAllocatePoolWithTag + - RtlFreeUnicodeString + - ObfDereferenceObject + - MmIsAddressValid + - IoGetDeviceObjectPointer + - MmUnmapIoSpace + - RtlInitAnsiString + - MmMapIoSpace + - IoCreateSymbolicLink + - IoCreateDevice + - RtlUnwind + - KeTickCount + - KeBugCheckEx + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - IoDeleteDevice + - PsGetVersion + - KeInitializeEvent + - IoBuildDeviceIoControlRequest + - IofCallDriver + - KeWaitForSingleObject + - RtlAnsiStringToUnicodeString + - IoCancelIrp + - READ_PORT_USHORT + - READ_PORT_ULONG + - WRITE_PORT_UCHAR + - WRITE_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - READ_PORT_UCHAR + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA + , G2 + ValidFrom: '2012-12-21 00:00:00' + ValidTo: '2020-12-30 23:59:59' + Signature: 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b + Version: 3 + TBS: + MD5: d0785ad36e427c92b19f6826ab1e8020 + SHA1: 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 + SHA256: c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G4 + ValidFrom: '2012-10-18 00:00:00' + ValidTo: '2020-12-29 23:59:59' + Signature: 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0ecff438c8febf356e04d86a981b1a50 + Version: 3 + TBS: + MD5: e9d38360b914c8863f6cba3ee58764d3 + SHA1: 4cba8eae47b6bf76f20b3504b98b8f062694a89b + SHA256: 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 41f15d0f328a165973b49de608ef72a2 + SHA1: abcd9850775bd0a1a855e785a238e0e69525810f + SHA256: 02dc44b04a6426fcaedf26995bfa471f123a90a9c747e82cebaf95f394890631 + Sections: + .text: + Entropy: 6.193679799265929 + Virtual Size: '0x2860' + .rdata: + Entropy: 4.611976907005874 + Virtual Size: '0x2c0' + .data: + Entropy: 0.335842300318532 + Virtual Size: '0x1e0' + INIT: + Entropy: 5.42180997612463 + Virtual Size: '0x3f4' + .rsrc: + Entropy: 3.391941258882184 + Virtual Size: '0x350' + .reloc: + Entropy: 5.431068617797713 + Virtual Size: '0x234' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2013-08-24 02:58:17' +- Filename: cpuz.sys + MD5: e323413de3caec7f7730b43c551f26a0 + SHA1: f3c20ce4282587c920e9ff5da2150fac7858172e + SHA256: 45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26 + Authentihash: + MD5: 972f2ce8097eda301f27a53fcf2b9865 + SHA1: aba5185a6ebdb040c5e4b8b8eaa44382eb705aec + SHA256: 157ae92541eda2f5035435c63e1654adfa45c06e37b05cbb60d76a63daa93f04 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2014 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - MmMapIoSpace + - ExFreePoolWithTag + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - DbgPrintEx + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - IofCompleteRequest + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA + , G2 + ValidFrom: '2012-12-21 00:00:00' + ValidTo: '2020-12-30 23:59:59' + Signature: 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b + Version: 3 + TBS: + MD5: d0785ad36e427c92b19f6826ab1e8020 + SHA1: 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 + SHA256: c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G4 + ValidFrom: '2012-10-18 00:00:00' + ValidTo: '2020-12-29 23:59:59' + Signature: 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0ecff438c8febf356e04d86a981b1a50 + Version: 3 + TBS: + MD5: e9d38360b914c8863f6cba3ee58764d3 + SHA1: 4cba8eae47b6bf76f20b3504b98b8f062694a89b + SHA256: 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: a2326d96aef2fdfe4c1d2ed909160ccc + SHA1: 48faced2ed09c60dd807398c1338259bddcd3c1f + SHA256: a125d206aeade4827dcce39aadbd8da6cad0d8ad799b46adfd7bf6bcd0acf11e + Sections: + .text: + Entropy: 6.223329975658994 + Virtual Size: '0x3207' + .rdata: + Entropy: 4.1808537985567344 + Virtual Size: '0x434' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.626263920579275 + Virtual Size: '0xd8' + INIT: + Entropy: 5.120133577153886 + Virtual Size: '0x41c' + .rsrc: + Entropy: 3.3971374522271924 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2014-10-23 09:03:05' +- Filename: cpuz.sys + MD5: c9c25778efe890baa4087e32937016a0 + SHA1: f4728f490d741b04b611164a7d997e34458e3a5e + SHA256: 49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668 + Authentihash: + MD5: ccc4847b99e359c72448de9f9f0981f1 + SHA1: 9e771be7100b166ba79aeeea58aa3dee44c09d6b + SHA256: 6b9090296a10225be115810e29e8ada4f70e4d4a8f88b385ccd9a8a6d2eb6778 + Description: CPUID Driver + Company: Windows (R) Codename Longhorn DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.0.6000.16386 built by: WinDDK' + Product: Windows (R) Codename Longhorn DDK driver + ProductVersion: 6.0.6000.16386 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IoDeleteSymbolicLink + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - RtlAnsiStringToUnicodeString + - RtlFreeUnicodeString + - IoCreateDevice + - IofCallDriver + - IoGetDeviceObjectPointer + - IoBuildDeviceIoControlRequest + - IoDeleteDevice + - ProbeForWrite + - MmMapIoSpace + - KeInitializeEvent + - RtlInitAnsiString + - IofCompleteRequest + - KeWaitForSingleObject + - KeBugCheckEx + - MmUnmapIoSpace + - RtlInitUnicodeString + - PsGetVersion + - RtlUnwindEx + - HalSetBusDataByOffset + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: a4919ba9bce5fa10c0659fe35e106bff + SHA1: c9062199c8b03518cf06dcc7212ff3c1ffbf0452 + SHA256: f6f4beb34371f4eec6c80a94046382a70864524606df3fdcf4d08fe9ddacc1af + Sections: + .text: + Entropy: 6.154548729898717 + Virtual Size: '0x1dd6' + .rdata: + Entropy: 4.332394275902173 + Virtual Size: '0x39c' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.424516355212702 + Virtual Size: '0x84' + INIT: + Entropy: 4.945456847123696 + Virtual Size: '0x388' + .rsrc: + Entropy: 3.393742999677783 + Virtual Size: '0x400' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2009-03-26 17:17:23' +- Filename: cpuz.sys + MD5: 2f8653034a35526df88ea0c62b035a42 + SHA1: 68ca9c27131aa35c7f433dc914da74f4b3d8793f + SHA256: 4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036 + Authentihash: + MD5: a5f87835956f86d2acccd4c8012a4fcd + SHA1: 2e37b05cd1bafe18e0a1a33560b0ec5aa99b0192 + SHA256: e650b4e4b5a95cba582b9749cac4c40e67e854d78eb8494f46f6d11f1fcea4d6 + Description: CPUID Driver + Company: Windows (R) Win 7 DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: Windows (R) Win 7 DDK driver + ProductVersion: 6.1.7600.16385 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IofCompleteRequest + - ExFreePoolWithTag + - ExAllocatePoolWithTag + - RtlFreeUnicodeString + - ObfDereferenceObject + - MmIsAddressValid + - IoGetDeviceObjectPointer + - RtlAnsiStringToUnicodeString + - MmUnmapIoSpace + - MmMapIoSpace + - ProbeForWrite + - IoCreateSymbolicLink + - IoCreateDevice + - RtlUnwind + - KeTickCount + - KeBugCheckEx + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - IoDeleteDevice + - PsGetVersion + - KeInitializeEvent + - IoBuildDeviceIoControlRequest + - IofCallDriver + - RtlInitAnsiString + - KeWaitForSingleObject + - READ_PORT_USHORT + - READ_PORT_ULONG + - WRITE_PORT_UCHAR + - WRITE_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - READ_PORT_UCHAR + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: ac22d2bffa82e1f2eeaff75340ddf502 + SHA1: a884c8f5b8d433e30a79d959fb37fb0746ff537b + SHA256: 3e8f2e809174f7d618f3ce991f37c51a77d2a43db600925041b13fa3430146de + Sections: + .text: + Entropy: 6.237934687882857 + Virtual Size: '0x2180' + .rdata: + Entropy: 4.44829003144624 + Virtual Size: '0x2f4' + .data: + Entropy: 0.335842300318532 + Virtual Size: '0x1e0' + INIT: + Entropy: 5.414827215159332 + Virtual Size: '0x3dc' + .rsrc: + Entropy: 3.4140956924835417 + Virtual Size: '0x3d0' + .reloc: + Entropy: 5.51200680030155 + Virtual Size: '0x236' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2010-03-10 09:24:11' +- Filename: cpuz.sys + MD5: e747f164fc89566f934f9ec5627cd8c3 + SHA1: a958734d25865cbc6bcbc11090ab9d6b72799143 + SHA256: 5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02 + Authentihash: + MD5: b98238e731280f6d726e61b0016cb877 + SHA1: 820a00a0e0fc628d06ac1f779eb9e88d613d8934 + SHA256: b46fb3ed5a7a84ef594ab0b76f384aa2dca0614574478fb98308806612609465 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2017 CPUID + MachineType: IA64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - PsGetVersion + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - IofCompleteRequest + - MmMapIoSpace + - MmUnmapIoSpace + - ProbeForWrite + - IoDeleteDevice + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - RtlUnwindEx + - RtlPcToFileHeader + - READ_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - READ_PORT_UCHAR + - HalCallPal + - WRITE_PORT_UCHAR + - KeStallExecutionProcessor + - WRITE_PORT_USHORT + - READ_PORT_ULONG + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 756be87f8c768cb8bfd02af932dd7589 + SHA1: 16c2ebba52ba9fb0ef5570c1d620daaaee63865a + SHA256: 48acdfbe5ad27d73c0fd9b115a49420f182d146bca52797ce33cc2a061ff0ced + Sections: + .text: + Entropy: 5.336714834529696 + Virtual Size: '0x5780' + .rdata: + Entropy: 4.010151907627347 + Virtual Size: '0x550' + .pdata: + Entropy: 3.4578065856245583 + Virtual Size: '0xd8' + .sdata: + Entropy: 1.1203888318125959 + Virtual Size: '0x420' + INIT: + Entropy: 5.015276332791068 + Virtual Size: '0x3e8' + .rsrc: + Entropy: 3.388191426646717 + Virtual Size: '0x350' + .reloc: + Entropy: 0.9012044915351938 + Virtual Size: '0x188' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2017-03-23 05:27:23' +- Filename: cpuz.sys + MD5: c08063f052308b6f5882482615387f30 + SHA1: 252157ab2e33eed7aa112d1c93c720cadcee31ae + SHA256: 523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba + Authentihash: + MD5: a28d6b501a18377685e448a214f370a6 + SHA1: 732fdb7d346543552b44e6d127fa907df7ef8d81 + SHA256: 942a7b2ebca0edeff5803c8f899ee455c0ec279542c41d2db2664d58c1025c86 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 89dc670b5f7c06b577deeec9473dc96b + SHA1: af59c00ae531117ba9307257ab945cdf6c8309f6 + SHA256: 35b9d8fc904c88f4df237edc610727f89c415e48bcf135191c43832bb2935ba6 + Sections: + .text: + Entropy: 6.200416768922914 + Virtual Size: '0x2586' + .rdata: + Entropy: 4.272735727458459 + Virtual Size: '0x3e0' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.401514027013751 + Virtual Size: '0x90' + INIT: + Entropy: 5.067835669413665 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3943730160709853 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2011-09-21 02:23:41' +- Filename: cpuz.sys + MD5: 549e5148be5e7be17f9d416d8a0e333e + SHA1: 6d9e22a275a5477ea446e6c56ee45671fbcbb5f6 + SHA256: 592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c + Authentihash: + MD5: 00556fc028ef505e2a528e054c435923 + SHA1: f645fd2deb256b7e3b8dcb7213c4fb61f2e209ec + SHA256: c2159219e9986ab9e07e00a87fb83835230a2b99174e7f9b94096046c2dace55 + Description: CPUID Driver + Company: Windows (R) Win 7 DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: Windows (R) Win 7 DDK driver + ProductVersion: 6.1.7600.16385 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: IA64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - PsGetVersion + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - IofCompleteRequest + - MmMapIoSpace + - MmUnmapIoSpace + - ProbeForWrite + - IoDeleteDevice + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - __C_specific_handler + - READ_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - READ_PORT_UCHAR + - HalCallPal + - WRITE_PORT_UCHAR + - KeStallExecutionProcessor + - WRITE_PORT_USHORT + - READ_PORT_ULONG + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 3e05f63a445c98b6831d9476006337f7 + SHA1: 08c8e06efd3136ae964f86be406389c47f74e4dd + SHA256: e5965588f92317c7d220193aa42f12d30bae66f0008f4831568b8131edeeb70a + Sections: + .text: + Entropy: 5.396352784335148 + Virtual Size: '0x3130' + .rdata: + Entropy: 4.150556480845234 + Virtual Size: '0x348' + .pdata: + Entropy: 3.2551039363088288 + Virtual Size: '0x84' + .sdata: + Entropy: 1.055945444608438 + Virtual Size: '0x260' + INIT: + Entropy: 5.06628585370835 + Virtual Size: '0x3d6' + .rsrc: + Entropy: 3.4181439310744572 + Virtual Size: '0x3d0' + .reloc: + Entropy: 1.042907998495935 + Virtual Size: '0x146' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2010-07-09 05:17:26' +- Filename: cpuz.sys + MD5: d0c2caa17c7b6d2200e1b5aa9d07135e + SHA1: bad84fca57ab0ef0af9230a93e0cc3d149f9ccd0 + SHA256: 5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe + Authentihash: + MD5: 1a595aaefa6bd782d63e97de4fcec464 + SHA1: eae1ab9e3aac1a4de139993b7e63542befccf0df + SHA256: 6045d564286f00fc1efedd25ffd22ecb7eaf2b3a6c778e392319380c77e45658 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - MmMapIoSpace + - ExFreePoolWithTag + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - DbgPrint + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - IofCompleteRequest + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G3 + ValidFrom: '2012-05-01 00:00:00' + ValidTo: '2012-12-31 23:59:59' + Signature: 1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 79a2a585f9d1154213d9b83ef6b68ded + Version: 3 + TBS: + MD5: e6d820afb23af20a65cf0b03247ea05e + SHA1: 7a8f7c37453f99390ee1e94bb5d3d1cba3a0eea7 + SHA256: 7e722dc40e6b9abf8c20aa4d887e34b6d2c6b8cbe53a055d49bf9f5e946e0d27 + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: dd4b3ae5449a7da46b90bead31c1bab6 + SHA1: 76abd50622838fcbb459166b2b42850bc5cfd18b + SHA256: 3bb0708613c56dbb77df753872797d73065432ac7c2ea3cde2569173972c7dac + Sections: + .text: + Entropy: 6.2041710477554854 + Virtual Size: '0x2616' + .rdata: + Entropy: 4.177976296652285 + Virtual Size: '0x3ec' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.499086286863614 + Virtual Size: '0xc0' + INIT: + Entropy: 5.052256723807581 + Virtual Size: '0x41a' + .rsrc: + Entropy: 3.3943730160709853 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2012-08-11 01:48:20' +- Filename: cpuz.sys + MD5: f310b453ac562f2c53d30aa6e35506bb + SHA1: eb44a05f8bba3d15e38454bd92999a856e6574eb + SHA256: 600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0 + Authentihash: + MD5: 423e8ee5a464bc64032924ee428b40af + SHA1: 37552fe06a39175032793e6317d124008a892f18 + SHA256: abf635a246752555868f203a565ead519c9ada06ea007545a47bf352678c342a + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2014 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: b3dcf662ce69ad7b34717fb6aecf09a7 + SHA1: 63be2c28ecee71a739bfbaf38466362e998bc5bc + SHA256: f4257b7e95b00b38e446b2708cc342fe32846266064b94c78ec1f987731c2226 + Sections: + .text: + Entropy: 6.187068215362904 + Virtual Size: '0x30c6' + .rdata: + Entropy: 4.212054484888266 + Virtual Size: '0x424' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.5511621274596537 + Virtual Size: '0xd8' + INIT: + Entropy: 5.131854482283732 + Virtual Size: '0x3ea' + .rsrc: + Entropy: 3.3971374522271924 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2015-10-21 03:22:27' +- Filename: cpuz.sys + MD5: aa69b4255e786d968adbd75ba5cf3e93 + SHA1: af5f642b105d86f82ba6d5e7a55d6404bfb50875 + SHA256: 60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289 + Authentihash: + MD5: 2d28bedef20cc63f0ae1b726a5cb34e0 + SHA1: 92524be5b5320c3e08d880ecbcd36a9c8037a921 + SHA256: 47c9323ae818bd2a3b55fc04abd984bd940cd4e27b6d4af311edcb66988ce941 + Description: CPUID Driver + Company: Windows (R) Win 7 DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: Windows (R) Win 7 DDK driver + ProductVersion: 6.1.7600.16385 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - ExFreePoolWithTag + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - ProbeForWrite + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - IoDeleteSymbolicLink + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: a38f27f93ae0a47de0beccf18bdd9f0d + SHA1: cd1a8f9d3317d025efd043e634381412d74f38d3 + SHA256: f570747684874e6d241bec749b182ef1902d578127bf1087132383695896986e + Sections: + .text: + Entropy: 6.169826234776459 + Virtual Size: '0x2176' + .rdata: + Entropy: 4.207878001994479 + Virtual Size: '0x3cc' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.4966307212281404 + Virtual Size: '0xc0' + INIT: + Entropy: 5.089554733637361 + Virtual Size: '0x3e4' + .rsrc: + Entropy: 3.4155760648585995 + Virtual Size: '0x3d0' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2010-03-16 05:00:47' +- Filename: cpuz.sys + MD5: 3411fdf098aa20193eee5ffa36ba43b2 + SHA1: ad05bff5fe45df9e08252717fc2bc2af57bf026f + SHA256: 67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc + Authentihash: + MD5: 41fd82e071d4afdfd8a895d0ab4fb568 + SHA1: b72edd113acbd4bb98374b80c1d238eb1e348f15 + SHA256: 3b2a3b74127c7ecf095e0fe5a65af31b9701d2ba6dc2a4d87882de65d84842c0 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IofCompleteRequest + - ExFreePool + - ExAllocatePoolWithTag + - RtlFreeUnicodeString + - ObfDereferenceObject + - MmIsAddressValid + - IoGetDeviceObjectPointer + - MmUnmapIoSpace + - RtlInitAnsiString + - MmMapIoSpace + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - IoDeleteDevice + - PsGetVersion + - KeInitializeEvent + - IoBuildDeviceIoControlRequest + - IofCallDriver + - KeWaitForSingleObject + - RtlAnsiStringToUnicodeString + - IoCancelIrp + - RtlUnwind + - READ_PORT_USHORT + - READ_PORT_ULONG + - WRITE_PORT_UCHAR + - WRITE_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - READ_PORT_UCHAR + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 4ba73072bea66755a70f3a8c99951424 + SHA1: d9ce039d736544c2d9b7fe44460d8e006a5c62f0 + SHA256: 3b45bc2da9543317e7a22486f86a3f8c0eb289596d1d7661b47e35e99058861f + Sections: + .text: + Entropy: 6.1851356647481595 + Virtual Size: '0x2600' + .rdata: + Entropy: 4.469676429308113 + Virtual Size: '0x2f8' + .data: + Entropy: 0.22396935932252834 + Virtual Size: '0x1c0' + INIT: + Entropy: 5.358436362596031 + Virtual Size: '0x3f4' + .rsrc: + Entropy: 3.3927376128305218 + Virtual Size: '0x350' + .reloc: + Entropy: 5.38153465292173 + Virtual Size: '0x244' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2011-09-21 02:24:20' +- Filename: cpuz.sys + MD5: f60a9b88c6ff07d4990d8653d0025683 + SHA1: 0cc60a56e245e70f664906b7b67dfe1b4a08a5b7 + SHA256: 6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63 + Authentihash: + MD5: a3d5faa9e1a6f47f8e0a23ef837afe38 + SHA1: bb21b535fa0adaef1a9a29759e0d2b2a5faf1965 + SHA256: 5e9099b95b2074fecc6efa6d59552651b1e082aaa3612889f417064d378a797f + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2014 CPUID + MachineType: IA64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - PsGetVersion + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - IofCompleteRequest + - MmMapIoSpace + - MmUnmapIoSpace + - ProbeForWrite + - IoDeleteDevice + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - RtlUnwindEx + - RtlPcToFileHeader + - READ_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - READ_PORT_UCHAR + - HalCallPal + - WRITE_PORT_UCHAR + - KeStallExecutionProcessor + - WRITE_PORT_USHORT + - READ_PORT_ULONG + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA + , G2 + ValidFrom: '2012-12-21 00:00:00' + ValidTo: '2020-12-30 23:59:59' + Signature: 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b + Version: 3 + TBS: + MD5: d0785ad36e427c92b19f6826ab1e8020 + SHA1: 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 + SHA256: c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G4 + ValidFrom: '2012-10-18 00:00:00' + ValidTo: '2020-12-29 23:59:59' + Signature: 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0ecff438c8febf356e04d86a981b1a50 + Version: 3 + TBS: + MD5: e9d38360b914c8863f6cba3ee58764d3 + SHA1: 4cba8eae47b6bf76f20b3504b98b8f062694a89b + SHA256: 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: d6643b31d447dc612fb7920d936baf5a + SHA1: 0d2acfebbfb9a35446bb9ff7b915c8ff514fd7dc + SHA256: 98f7bc08e99aa659bfb0295c09adf8ccfdb7f7ad8cc065cfb4f0732585c1855c + Sections: + .text: + Entropy: 5.3484809966574 + Virtual Size: '0x3b60' + .rdata: + Entropy: 4.154715674967178 + Virtual Size: '0x3d8' + .pdata: + Entropy: 3.4060649759113413 + Virtual Size: '0xb4' + .sdata: + Entropy: 1.1203888318125959 + Virtual Size: '0x2a0' + INIT: + Entropy: 5.0324391219722715 + Virtual Size: '0x3e8' + .rsrc: + Entropy: 3.3971374522271924 + Virtual Size: '0x350' + .reloc: + Entropy: 0.9557665440658051 + Virtual Size: '0x168' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2014-02-17 07:22:11' +- Filename: cpuz.sys + MD5: c046ca4da48db1524ddf3a49a8d02b65 + SHA1: 5635bb2478929010693bc3b23f8b7fe5fdbc3aed + SHA256: 771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c + Authentihash: + MD5: 49da5e87cba74d3bd91bd589e49b0d1a + SHA1: e79179e0a586067e9d9654c2a8dfd45963ddcac3 + SHA256: 36729c2c714e05ebf9bc7262bc7f0d5d25d9dc9c8e0c4fdce27143bbdd9d9aa7 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2015 CPUID + MachineType: IA64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - PsGetVersion + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - IofCompleteRequest + - MmMapIoSpace + - MmUnmapIoSpace + - ProbeForWrite + - IoDeleteDevice + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - __C_specific_handler + - READ_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - READ_PORT_UCHAR + - HalCallPal + - WRITE_PORT_UCHAR + - KeStallExecutionProcessor + - WRITE_PORT_USHORT + - READ_PORT_ULONG + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 8ea619be06260d53ffafd0dc9b610cb0 + SHA1: c796bfcf888f2b8841388524d2117d3bb17c0e8c + SHA256: 0140c43b66ca9c67a08bcb7eaddab10203a2c2b75bd411d5eecf8d0d78dce9c6 + Sections: + .text: + Entropy: 5.372120601484934 + Virtual Size: '0x3850' + .rdata: + Entropy: 4.096307336199365 + Virtual Size: '0x3a0' + .pdata: + Entropy: 3.3485198020390934 + Virtual Size: '0x9c' + .sdata: + Entropy: 1.055945444608438 + Virtual Size: '0x260' + INIT: + Entropy: 5.065598292840257 + Virtual Size: '0x3d6' + .rsrc: + Entropy: 3.3958173868041217 + Virtual Size: '0x350' + .reloc: + Entropy: 1.0164053768066021 + Virtual Size: '0x14e' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2015-11-18 02:17:31' +- Filename: cpuz.sys + MD5: 0283b43c6bc965175a1c92b255d39556 + SHA1: 8325e8d7fd2edc126dcf1089dee8da64e79fb12e + SHA256: 80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1 + Authentihash: + MD5: b978a03408c0e9ea44ffdeecc35ab83e + SHA1: fed654a9c5f2bf2a1ad9a2e94da162633fb468c5 + SHA256: 72f9cb24cfa641876f34967b96244259f95987ef24d1d729c0e483b3eb9a2740 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IofCompleteRequest + - ExFreePool + - ExAllocatePoolWithTag + - RtlFreeUnicodeString + - ObfDereferenceObject + - MmIsAddressValid + - IoGetDeviceObjectPointer + - MmUnmapIoSpace + - RtlInitAnsiString + - MmMapIoSpace + - IoCreateSymbolicLink + - IoCreateDevice + - RtlUnwind + - KeTickCount + - KeBugCheckEx + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - IoDeleteDevice + - PsGetVersion + - KeInitializeEvent + - IoBuildDeviceIoControlRequest + - IofCallDriver + - KeWaitForSingleObject + - RtlAnsiStringToUnicodeString + - IoCancelIrp + - READ_PORT_USHORT + - READ_PORT_ULONG + - WRITE_PORT_UCHAR + - WRITE_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - READ_PORT_UCHAR + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 41f15d0f328a165973b49de608ef72a2 + SHA1: abcd9850775bd0a1a855e785a238e0e69525810f + SHA256: 02dc44b04a6426fcaedf26995bfa471f123a90a9c747e82cebaf95f394890631 + Sections: + .text: + Entropy: 6.217479588256463 + Virtual Size: '0x2750' + .rdata: + Entropy: 4.550469836478717 + Virtual Size: '0x2f0' + .data: + Entropy: 0.335842300318532 + Virtual Size: '0x1e0' + INIT: + Entropy: 5.41983369153965 + Virtual Size: '0x3f4' + .rsrc: + Entropy: 3.3927376128305218 + Virtual Size: '0x350' + .reloc: + Entropy: 5.5051908528223255 + Virtual Size: '0x254' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2012-02-07 08:44:19' +- Filename: cpuz.sys + MD5: 4a85754636c694572ca9f440d254f5ce + SHA1: dd55015f5406f0051853fd7cca3ab0406b5a2d52 + SHA256: 8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b + Authentihash: + MD5: 3a19663e83c3569a86812ef915de52bc + SHA1: cd9a022e078eaa2364155e00942edbecb85619b0 + SHA256: 8d3ed9427dcc4f79be3585d41ab9c0bb447d6a0258dd919c4d49e02dedbaa47b + Description: CPUID Driver + Company: Windows (R) Win 7 DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: Windows (R) Win 7 DDK driver + ProductVersion: 6.1.7600.16385 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - MmMapIoSpace + - ExFreePoolWithTag + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - IofCompleteRequest + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 93394769f926489de472acbbd72c3d8b + SHA1: 6e6c943f13b82d4d46331de813914d4db63771f7 + SHA256: 53362bef3277e59f67ebc5a085f1cbe60e5c9aef1a18a2ac391b2f4954fa9649 + Sections: + .text: + Entropy: 6.206552850925677 + Virtual Size: '0x21a6' + .rdata: + Entropy: 4.27776755944508 + Virtual Size: '0x3c0' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.401674357474197 + Virtual Size: '0x90' + INIT: + Entropy: 5.076342695575086 + Virtual Size: '0x3f0' + .rsrc: + Entropy: 3.4148190207283133 + Virtual Size: '0x3d0' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2010-06-04 07:51:45' +- Filename: cpuz.sys + MD5: 8741e6df191c805028b92cec44b1ba88 + SHA1: ba0938512d7abab23a72279b914d0ea0fb46e498 + SHA256: 8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775 + Authentihash: + MD5: a67c91579145d058cf7cd3f8f60bf613 + SHA1: cb981516b9979025669c080a74c9308dca04963a + SHA256: 02fcbc5372c9bf31903376bde11d558ab7c7f13bde005120e24bdb1aef5d0134 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2014 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA + , G2 + ValidFrom: '2012-12-21 00:00:00' + ValidTo: '2020-12-30 23:59:59' + Signature: 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b + Version: 3 + TBS: + MD5: d0785ad36e427c92b19f6826ab1e8020 + SHA1: 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 + SHA256: c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G4 + ValidFrom: '2012-10-18 00:00:00' + ValidTo: '2020-12-29 23:59:59' + Signature: 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0ecff438c8febf356e04d86a981b1a50 + Version: 3 + TBS: + MD5: e9d38360b914c8863f6cba3ee58764d3 + SHA1: 4cba8eae47b6bf76f20b3504b98b8f062694a89b + SHA256: 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: b3dcf662ce69ad7b34717fb6aecf09a7 + SHA1: 63be2c28ecee71a739bfbaf38466362e998bc5bc + SHA256: f4257b7e95b00b38e446b2708cc342fe32846266064b94c78ec1f987731c2226 + Sections: + .text: + Entropy: 6.187068215362904 + Virtual Size: '0x30c6' + .rdata: + Entropy: 4.226233458071221 + Virtual Size: '0x424' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.5511621274596537 + Virtual Size: '0xd8' + INIT: + Entropy: 5.131854482283732 + Virtual Size: '0x3ea' + .rsrc: + Entropy: 3.3971374522271924 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2015-02-26 00:04:34' +- Filename: cpuz.sys + MD5: bf581e9eb91bace0b02a2c5a54bf1419 + SHA1: 13df48ab4cd412651b2604829ce9b61d39a791bb + SHA256: 8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2 + Authentihash: + MD5: b2c31454c057d73fb6d240356a32f8f1 + SHA1: f965db8fa1ef4ce0a738aad55d82c0cf63a47915 + SHA256: 16398965e9cea179b2e5ca884e3af032dece08d4ef33bdd83234ee441d71a5fa + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2015 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: b3dcf662ce69ad7b34717fb6aecf09a7 + SHA1: 63be2c28ecee71a739bfbaf38466362e998bc5bc + SHA256: f4257b7e95b00b38e446b2708cc342fe32846266064b94c78ec1f987731c2226 + Sections: + .text: + Entropy: 6.188258985068624 + Virtual Size: '0x30c6' + .rdata: + Entropy: 4.223852822083244 + Virtual Size: '0x424' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.5511621274596537 + Virtual Size: '0xd8' + INIT: + Entropy: 5.131854482283732 + Virtual Size: '0x3ea' + .rsrc: + Entropy: 3.3958173868041217 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2016-01-27 02:18:15' +- Filename: cpuz.sys + MD5: 94ccef76fda12ab0b8270f9b2980552b + SHA1: e4cbb48aa1aff6cf4ea94ef3b7afb6c245ac47e8 + SHA256: 8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126 + Authentihash: + MD5: ac9131c2fc8e77ef414ad451d35e4d1e + SHA1: 7b63ad1179825964aae9d1486fefed1b8f26a8a8 + SHA256: 1a8a5aebf83d1fa6daf74e48fc600e22b8fdceafb5dd7c7e14db2aa2a28e8c24 + Description: CPUID Driver + Company: Windows (R) Codename Longhorn DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.0.6000.16386 built by: WinDDK' + Product: Windows (R) Codename Longhorn DDK driver + ProductVersion: 6.0.6000.16386 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - KeWaitForSingleObject + - PsGetVersion + - MmUnmapIoSpace + - IoBuildDeviceIoControlRequest + - IoCreateSymbolicLink + - IoDeleteSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IofCompleteRequest + - RtlFreeUnicodeString + - RtlAnsiStringToUnicodeString + - IofCallDriver + - IoGetDeviceObjectPointer + - RtlInitUnicodeString + - IoDeleteDevice + - MmMapIoSpace + - KeBugCheckEx + - RtlInitAnsiString + - IoCreateDevice + - KeInitializeEvent + - RtlUnwindEx + - HalSetBusDataByOffset + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2007-02-08 00:00:00' + ValidTo: '2009-02-07 23:59:59' + Signature: 6ca08361ce69863ade5289039d2e6eaf79729d950a57fc32158e56bc0bfc05ca3b76263b8e8a5e2279522eceed35495c697a2f1b1631e1a4f997c8b2e14cd08a3b4aaeca9f150126f5933e6a29fde1e3ef607f452219582ac034c3f95023fd6c5474008ecea3aab5ba096ae73a3dd76b296d3c8b06a72ca763698e49474d624c22ad57a3d11342be8a6d2a49e4af5893003fcf02900a0fbf4854858cc0468d23b9917cfe59ac8b7058de49ab25bbca0bc67f1f367309deed4827295173fad53932d12ad79b8c70175e640f7917fd60940be86d1af397dd5eb0ecb9e92f9e3dc03f2cbf51e9776b31a8cba38fabd8b27e561f66a5ddad46546d6bc984a6a8d8bc + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 10e29d74903d9c7cd58caa35a0944770 + Version: 3 + TBS: + MD5: 5e3b5587eb8c553dc279bb241c30689d + SHA1: 5b5631ff0033ed753a5c630a4d8d48772050db32 + SHA256: 9b30d9d9f9fd9c0480c0503dd4ac86649d2cc180d1401ade6dd8048356d7f634 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 10e29d74903d9c7cd58caa35a0944770 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 59cd82b693e20fe9af1be9ea12f739b9 + SHA1: 1842433338394740479c35b690fc50c41d9f6efa + SHA256: fa2e40c67651befa71893d8a672a90a1f996057b6f5c15d2304bbfe120cf9115 + Sections: + .text: + Entropy: 6.050801271329098 + Virtual Size: '0x1596' + .rdata: + Entropy: 4.266884457332851 + Virtual Size: '0x304' + .data: + Entropy: 0.6099523004172788 + Virtual Size: '0x124' + .pdata: + Entropy: 3.2933218797117716 + Virtual Size: '0x6c' + INIT: + Entropy: 4.943162739985603 + Virtual Size: '0x370' + .rsrc: + Entropy: 3.3933870153256342 + Virtual Size: '0x400' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2008-01-25 04:39:05' +- Filename: cpuz.sys + MD5: 9b157f1261a8a42e4ef5ec23dd4cda9e + SHA1: 99bd8c1f5eeedd9f6a9252df5dbd0e42ef5999a4 + SHA256: 900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88 + Authentihash: + MD5: 99cba45243e4a9e5999224b5719ccc2d + SHA1: 43ffee630881d6ae82640c59c674e9ee57cb5eac + SHA256: 94f39e23194d01698b2d8e7bb1c212bf192e81df59766d4adf5f7e33bbe13181 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2015 CPUID + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IofCompleteRequest + - ExFreePool + - ExAllocatePoolWithTag + - RtlFreeUnicodeString + - ObfDereferenceObject + - IoGetDeviceObjectPointer + - RtlAnsiStringToUnicodeString + - MmUnmapIoSpace + - MmMapIoSpace + - IoCreateSymbolicLink + - IoCreateDevice + - RtlUnwind + - KeTickCount + - KeBugCheckEx + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - IoDeleteDevice + - PsGetVersion + - KeInitializeEvent + - IoBuildDeviceIoControlRequest + - IofCallDriver + - KeWaitForSingleObject + - RtlInitAnsiString + - IoCancelIrp + - READ_PORT_USHORT + - READ_PORT_ULONG + - WRITE_PORT_UCHAR + - WRITE_PORT_USHORT + - WRITE_PORT_ULONG + - KeStallExecutionProcessor + - HalSetBusDataByOffset + - HalGetBusDataByOffset + - READ_PORT_UCHAR + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 151279b238de6194a32d8ca426ceaeee + SHA1: 7836f9fa452c5a538aed446df8439f2f49cc74aa + SHA256: 1319e59df060332195af6318ab22fe3f5018b1498211216a28a48f73980ab3b0 + Sections: + .text: + Entropy: 6.229266851006058 + Virtual Size: '0x3260' + .rdata: + Entropy: 4.675179768119331 + Virtual Size: '0x2f4' + .data: + Entropy: 0.335842300318532 + Virtual Size: '0x1e0' + INIT: + Entropy: 5.428373271150746 + Virtual Size: '0x3dc' + .rsrc: + Entropy: 3.3925686987119477 + Virtual Size: '0x350' + .reloc: + Entropy: 5.597642275362914 + Virtual Size: '0x27c' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2015-11-18 02:14:04' +- Filename: cpuz.sys + MD5: 5212e0957468d3f94d90fa7a0f06b58f + SHA1: ad1616ea6dc17c91d983e829aa8a6706e81a3d27 + SHA256: 955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad + Authentihash: + MD5: 9b4bb5dc9df3edd0d7d859629c80c2dc + SHA1: 706789b1bf76e4d337957a36d60b96b7743f9f62 + SHA256: eb6807c46e2d4808f07cca9242e7a59393fdab6ccf4da1aec124ef2a34398d43 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2014 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA + , G2 + ValidFrom: '2012-12-21 00:00:00' + ValidTo: '2020-12-30 23:59:59' + Signature: 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b + Version: 3 + TBS: + MD5: d0785ad36e427c92b19f6826ab1e8020 + SHA1: 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 + SHA256: c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G4 + ValidFrom: '2012-10-18 00:00:00' + ValidTo: '2020-12-29 23:59:59' + Signature: 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0ecff438c8febf356e04d86a981b1a50 + Version: 3 + TBS: + MD5: e9d38360b914c8863f6cba3ee58764d3 + SHA1: 4cba8eae47b6bf76f20b3504b98b8f062694a89b + SHA256: 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 685a19a8e9f46a76067db83da501dca0 + SHA1: 5f76e4cf5157450837536db016e9981cb41394d2 + SHA256: 1a0c69ff029488d41c7d9413943c28d389016adb26698d9baf02c6f32739d591 + Sections: + .text: + Entropy: 6.201540970632788 + Virtual Size: '0x2c56' + .rdata: + Entropy: 4.139510166690065 + Virtual Size: '0x424' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.603856484265247 + Virtual Size: '0xc0' + INIT: + Entropy: 5.076575853289 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3938887641350184 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2014-02-17 07:22:16' +- Filename: cpuz.sys + MD5: 56b54823a79a53747cbe11f8c4db7b1e + SHA1: 1d9fd846e12104ae31fd6f6040b93fc689abf047 + SHA256: 9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c + Authentihash: + MD5: c8b8d6e4b9b4f42714f3abfb66880ccf + SHA1: 5848f7c4dadcb1ea16f4d9e533a84a6d6f522f8b + SHA256: 057e45b47fe0ca96fe3741058bc4365c9a866dff925cab8cfea4c161b990e8e2 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - MmMapIoSpace + - ExFreePoolWithTag + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - DbgPrint + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - IofCompleteRequest + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G3 + ValidFrom: '2012-05-01 00:00:00' + ValidTo: '2012-12-31 23:59:59' + Signature: 1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 79a2a585f9d1154213d9b83ef6b68ded + Version: 3 + TBS: + MD5: e6d820afb23af20a65cf0b03247ea05e + SHA1: 7a8f7c37453f99390ee1e94bb5d3d1cba3a0eea7 + SHA256: 7e722dc40e6b9abf8c20aa4d887e34b6d2c6b8cbe53a055d49bf9f5e946e0d27 + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: dd4b3ae5449a7da46b90bead31c1bab6 + SHA1: 76abd50622838fcbb459166b2b42850bc5cfd18b + SHA256: 3bb0708613c56dbb77df753872797d73065432ac7c2ea3cde2569173972c7dac + Sections: + .text: + Entropy: 6.203757143489118 + Virtual Size: '0x2616' + .rdata: + Entropy: 4.1950691845593875 + Virtual Size: '0x3ec' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.499086286863614 + Virtual Size: '0xc0' + INIT: + Entropy: 5.052256723807581 + Virtual Size: '0x41a' + .rsrc: + Entropy: 3.3943730160709853 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2012-05-23 08:53:22' +- Filename: cpuz.sys + MD5: 29872c7376c42e2a64fa838dad98aa11 + SHA1: 8ec28d7da81cf202f03761842738d740c0bb2fed + SHA256: a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4 + Authentihash: + MD5: 3c2269699f0187275c2b144f9b60d5e6 + SHA1: 69aabc267344bd9f98bd2fddc7213de735ba79d7 + SHA256: 2fb8f2a0a32f2e73921a16a7836ff14122da45582aae742e6afd4d7ca15b3da3 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2016 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: b3dcf662ce69ad7b34717fb6aecf09a7 + SHA1: 63be2c28ecee71a739bfbaf38466362e998bc5bc + SHA256: f4257b7e95b00b38e446b2708cc342fe32846266064b94c78ec1f987731c2226 + Sections: + .text: + Entropy: 6.219876754346496 + Virtual Size: '0x3366' + .rdata: + Entropy: 4.23881802889425 + Virtual Size: '0x424' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x440' + .pdata: + Entropy: 3.638628882332417 + Virtual Size: '0xf0' + INIT: + Entropy: 5.131854482283732 + Virtual Size: '0x3ea' + .rsrc: + Entropy: 3.38341382722288 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2016-08-14 13:15:42' +- Filename: cpuz.sys + MD5: 557fd33ee99db6fe263cfcb82b7866b3 + SHA1: 0a6e0f9f3d7179a99345d40e409895c12919195b + SHA256: aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399 + Authentihash: + MD5: b8844b695f5170c70ac66f95324f836a + SHA1: 195024cc4a4adea16e6c2df8f2f8489a28f36beb + SHA256: 66cc007348a41fb33fab59f5ea265006534ba82db4eb7327039cbe2b4ce7e077 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2012 CPUID + MachineType: IA64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - PsGetVersion + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - IofCompleteRequest + - MmMapIoSpace + - MmUnmapIoSpace + - ProbeForWrite + - IoDeleteDevice + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - RtlUnwindEx + - RtlPcToFileHeader + - READ_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - READ_PORT_UCHAR + - HalCallPal + - WRITE_PORT_UCHAR + - KeStallExecutionProcessor + - WRITE_PORT_USHORT + - READ_PORT_ULONG + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G3 + ValidFrom: '2012-05-01 00:00:00' + ValidTo: '2012-12-31 23:59:59' + Signature: 1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 79a2a585f9d1154213d9b83ef6b68ded + Version: 3 + TBS: + MD5: e6d820afb23af20a65cf0b03247ea05e + SHA1: 7a8f7c37453f99390ee1e94bb5d3d1cba3a0eea7 + SHA256: 7e722dc40e6b9abf8c20aa4d887e34b6d2c6b8cbe53a055d49bf9f5e946e0d27 + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: d6643b31d447dc612fb7920d936baf5a + SHA1: 0d2acfebbfb9a35446bb9ff7b915c8ff514fd7dc + SHA256: 98f7bc08e99aa659bfb0295c09adf8ccfdb7f7ad8cc065cfb4f0732585c1855c + Sections: + .text: + Entropy: 5.406032855001113 + Virtual Size: '0x39c0' + .rdata: + Entropy: 4.152970301277938 + Virtual Size: '0x3d8' + .pdata: + Entropy: 3.3263502634141657 + Virtual Size: '0xb4' + .sdata: + Entropy: 1.1203888318125959 + Virtual Size: '0x2a0' + INIT: + Entropy: 5.0324391219722715 + Virtual Size: '0x3e8' + .rsrc: + Entropy: 3.3968253502148213 + Virtual Size: '0x350' + .reloc: + Entropy: 0.9613220996213607 + Virtual Size: '0x168' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2012-10-06 05:54:39' +- Filename: cpuz.sys + MD5: c516acb873c7f8c24a0431df8287756e + SHA1: f6f7b5776001149496092a95fb10218dea5d6a6b + SHA256: bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa + Authentihash: + MD5: a14a1ba39405f52d67d289b65f0c7eb9 + SHA1: 11172e3f08444d643f277be83aaabe9f2aea74ca + SHA256: 3ce4a30668938fb7785c9958772e3c171af320ecfea8fc298160e80fbf80fb73 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2017 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - RtlAnsiStringToUnicodeString + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - ExFreePoolWithTag + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: c046d6f14ec39d2a0f67a417bda83c5e + SHA1: 74661f1063b4c80566f75a1bee22c35f7af17fa9 + SHA256: 440eebbdc09d290724d364056ba4e2725c75759819a6df0a1ed5c876ed7d2474 + Sections: + .text: + Entropy: 6.170317476121287 + Virtual Size: '0x4536' + .rdata: + Entropy: 4.190423561703195 + Virtual Size: '0x534' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x440' + .pdata: + Entropy: 3.6289632983036624 + Virtual Size: '0xfc' + INIT: + Entropy: 5.132100585029012 + Virtual Size: '0x40e' + .rsrc: + Entropy: 3.394946071861716 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2017-03-23 05:26:40' +- Filename: cpuz.sys + MD5: 641243746597fbd650e5000d95811ea3 + SHA1: da42cefde56d673850f5ef69e7934d39a6de3025 + SHA256: c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e + Authentihash: + MD5: 560b782df855c5ea30b76ee4a9930d28 + SHA1: 6423659ab76fad7627fd7fb16f05a40b8df8da4d + SHA256: 62daa7ab93684d935cdada8af43cba552d7692cb992411d27ba1ee50a9fb1883 + Description: CPUID Driver + Company: Windows (R) Win 7 DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: Windows (R) Win 7 DDK driver + ProductVersion: 6.1.7600.16385 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - ProbeForWrite + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 89dc670b5f7c06b577deeec9473dc96b + SHA1: af59c00ae531117ba9307257ab945cdf6c8309f6 + SHA256: 35b9d8fc904c88f4df237edc610727f89c415e48bcf135191c43832bb2935ba6 + Sections: + .text: + Entropy: 6.180122394967694 + Virtual Size: '0x2136' + .rdata: + Entropy: 4.244772424988803 + Virtual Size: '0x3d0' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.5003735460865424 + Virtual Size: '0x90' + INIT: + Entropy: 5.069433080691773 + Virtual Size: '0x408' + .rsrc: + Entropy: 3.4155760648585995 + Virtual Size: '0x3d0' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2010-03-30 15:34:16' +- Filename: cpuz.sys + MD5: a453083b8f4ca7cb60cac327e97edbe2 + SHA1: 53f7fc4feb66af748f2ab295394bf4de62ae9fcc + SHA256: c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26 + Authentihash: + MD5: b3bf90b99dec81a927b9fa8467d20e11 + SHA1: 0632e0c8fdb6e629fd2efa5ccdf4a8415131bc58 + SHA256: 536333c1fb9066a12c7791b740fcf637f6f86b45bd57baf0f27ae33c3b6c6cf1 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2013 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA + , G2 + ValidFrom: '2012-12-21 00:00:00' + ValidTo: '2020-12-30 23:59:59' + Signature: 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b + Version: 3 + TBS: + MD5: d0785ad36e427c92b19f6826ab1e8020 + SHA1: 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 + SHA256: c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G4 + ValidFrom: '2012-10-18 00:00:00' + ValidTo: '2020-12-29 23:59:59' + Signature: 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0ecff438c8febf356e04d86a981b1a50 + Version: 3 + TBS: + MD5: e9d38360b914c8863f6cba3ee58764d3 + SHA1: 4cba8eae47b6bf76f20b3504b98b8f062694a89b + SHA256: 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 685a19a8e9f46a76067db83da501dca0 + SHA1: 5f76e4cf5157450837536db016e9981cb41394d2 + SHA256: 1a0c69ff029488d41c7d9413943c28d389016adb26698d9baf02c6f32739d591 + Sections: + .text: + Entropy: 6.111492164689909 + Virtual Size: '0x2836' + .rdata: + Entropy: 4.175526657333754 + Virtual Size: '0x3d4' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.4970531643346394 + Virtual Size: '0xc0' + INIT: + Entropy: 5.076575853289 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3935766621226473 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2013-08-24 02:56:35' +- Filename: cpuz.sys + MD5: 07493c774aa406478005e8fe52c788b2 + SHA1: 34a07ae39b232cc3dbbe657b34660e692ff2043a + SHA256: dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98 + Authentihash: + MD5: 63e4ba0a05ddac75e9f2b90c28291331 + SHA1: 34c6aeb2bc32ff8da525641af75ff600e7249252 + SHA256: 653601cf8c3c2c4b778f9025d4e964c887966cc3216bb35a73a3ae75477b4476 + Description: CPUID Driver + Company: Windows (R) Codename Longhorn DDK provider + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.0.6000.16386 built by: WinDDK' + Product: Windows (R) Codename Longhorn DDK driver + ProductVersion: 6.0.6000.16386 + Copyright: "\xA9 Microsoft Corporation. All rights reserved." + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - KeWaitForSingleObject + - PsGetVersion + - MmUnmapIoSpace + - IoBuildDeviceIoControlRequest + - IoDeleteSymbolicLink + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - RtlAnsiStringToUnicodeString + - IofCompleteRequest + - RtlFreeUnicodeString + - IofCallDriver + - IoGetDeviceObjectPointer + - RtlInitUnicodeString + - IoDeleteDevice + - ProbeForWrite + - MmMapIoSpace + - KeBugCheckEx + - RtlInitAnsiString + - IoCreateDevice + - KeInitializeEvent + - RtlUnwindEx + - HalSetBusDataByOffset + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2007-02-08 00:00:00' + ValidTo: '2009-02-07 23:59:59' + Signature: 6ca08361ce69863ade5289039d2e6eaf79729d950a57fc32158e56bc0bfc05ca3b76263b8e8a5e2279522eceed35495c697a2f1b1631e1a4f997c8b2e14cd08a3b4aaeca9f150126f5933e6a29fde1e3ef607f452219582ac034c3f95023fd6c5474008ecea3aab5ba096ae73a3dd76b296d3c8b06a72ca763698e49474d624c22ad57a3d11342be8a6d2a49e4af5893003fcf02900a0fbf4854858cc0468d23b9917cfe59ac8b7058de49ab25bbca0bc67f1f367309deed4827295173fad53932d12ad79b8c70175e640f7917fd60940be86d1af397dd5eb0ecb9e92f9e3dc03f2cbf51e9776b31a8cba38fabd8b27e561f66a5ddad46546d6bc984a6a8d8bc + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 10e29d74903d9c7cd58caa35a0944770 + Version: 3 + TBS: + MD5: 5e3b5587eb8c553dc279bb241c30689d + SHA1: 5b5631ff0033ed753a5c630a4d8d48772050db32 + SHA256: 9b30d9d9f9fd9c0480c0503dd4ac86649d2cc180d1401ade6dd8048356d7f634 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 10e29d74903d9c7cd58caa35a0944770 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 6633dd48aea31e9c4821fbc652e4701e + SHA1: 3fb6cdbdaa8959e6a79305a74981751e06506a6f + SHA256: 63b15db03090d5e7ba52906b2854fba693e17a5fac179397bd55f91e49d28859 + Sections: + .text: + Entropy: 6.049517664101274 + Virtual Size: '0x15a6' + .rdata: + Entropy: 4.2613924369366005 + Virtual Size: '0x304' + .data: + Entropy: 0.6099523004172788 + Virtual Size: '0x124' + .pdata: + Entropy: 3.3197547776031913 + Virtual Size: '0x6c' + INIT: + Entropy: 4.94558496841094 + Virtual Size: '0x388' + .rsrc: + Entropy: 3.3933870153256342 + Virtual Size: '0x400' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2008-02-22 04:12:04' +- Filename: cpuz.sys + MD5: e425c66663c96d5a9f030b0ad4d219a8 + SHA1: bd87aecc0ac1d1c2ab72be1090d39fab657f7cc6 + SHA256: deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578 + Authentihash: + MD5: a10d1df81f81710baf68826e4c32befa + SHA1: ecbde8d7d911f64666f89356ce6194d92741bdc4 + SHA256: cd7754a6ec6bf19724fb266ec4f1d02607e9b310791d8725d7db5ac84d5430e2 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2014 CPUID + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IofCompleteRequest + - ExFreePool + - ExAllocatePoolWithTag + - RtlFreeUnicodeString + - ObfDereferenceObject + - MmIsAddressValid + - IoGetDeviceObjectPointer + - MmUnmapIoSpace + - RtlInitAnsiString + - MmMapIoSpace + - IoCreateSymbolicLink + - IoCreateDevice + - RtlUnwind + - KeTickCount + - KeBugCheckEx + - RtlInitUnicodeString + - IoDeleteSymbolicLink + - IoDeleteDevice + - PsGetVersion + - KeInitializeEvent + - IoBuildDeviceIoControlRequest + - IofCallDriver + - KeWaitForSingleObject + - RtlAnsiStringToUnicodeString + - IoCancelIrp + - READ_PORT_USHORT + - READ_PORT_ULONG + - WRITE_PORT_UCHAR + - WRITE_PORT_USHORT + - WRITE_PORT_ULONG + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - READ_PORT_UCHAR + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA + , G2 + ValidFrom: '2012-12-21 00:00:00' + ValidTo: '2020-12-30 23:59:59' + Signature: 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b + Version: 3 + TBS: + MD5: d0785ad36e427c92b19f6826ab1e8020 + SHA1: 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 + SHA256: c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff + - Subject: C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer + , G4 + ValidFrom: '2012-10-18 00:00:00' + ValidTo: '2020-12-29 23:59:59' + Signature: 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0ecff438c8febf356e04d86a981b1a50 + Version: 3 + TBS: + MD5: e9d38360b914c8863f6cba3ee58764d3 + SHA1: 4cba8eae47b6bf76f20b3504b98b8f062694a89b + SHA256: 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 41f15d0f328a165973b49de608ef72a2 + SHA1: abcd9850775bd0a1a855e785a238e0e69525810f + SHA256: 02dc44b04a6426fcaedf26995bfa471f123a90a9c747e82cebaf95f394890631 + Sections: + .text: + Entropy: 6.204806970841105 + Virtual Size: '0x2ed0' + .rdata: + Entropy: 4.656797686788462 + Virtual Size: '0x2e8' + .data: + Entropy: 0.335842300318532 + Virtual Size: '0x1e0' + INIT: + Entropy: 5.416266853126175 + Virtual Size: '0x3f4' + .rsrc: + Entropy: 3.392253360894555 + Virtual Size: '0x350' + .reloc: + Entropy: 5.600870307396892 + Virtual Size: '0x26e' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2014-02-17 07:21:57' +- Filename: cpuz.sys + MD5: ccb09eb78e047c931708149992c2e435 + SHA1: ada23b709cb2bef8bedd612dc345db2e2fdbfaca + SHA256: df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15 + Authentihash: + MD5: e4b3d527845f6574b5959b6381f925f8 + SHA1: baf46ac272c1a6d8c32683965b1d849386908079 + SHA256: 68b0a239031b158e2927bb5dc8844b662cb4616ee8c1363fa729aa8fa0d86cff + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2009-02-02 00:00:00' + ValidTo: '2012-02-07 23:59:59' + Signature: 9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Version: 3 + TBS: + MD5: fb72fa311261c4fb6a786e5cc7ce1d2f + SHA1: 1006abcf3b1eb43fd4cc42a2cc25346b3b9002c3 + SHA256: 01beb7dc0d29b16a5506fc611b435aa0f4d9c50408ca404e91135e493a20890a + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 29f25a23906de1bbfa2c46067eba0ddd + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 89dc670b5f7c06b577deeec9473dc96b + SHA1: af59c00ae531117ba9307257ab945cdf6c8309f6 + SHA256: 35b9d8fc904c88f4df237edc610727f89c415e48bcf135191c43832bb2935ba6 + Sections: + .text: + Entropy: 6.199906453328244 + Virtual Size: '0x2506' + .rdata: + Entropy: 4.25835240231724 + Virtual Size: '0x3e0' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.3649784372301403 + Virtual Size: '0x90' + INIT: + Entropy: 5.067835669413665 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3943730160709853 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2011-01-19 09:42:06' +- Filename: cpuz.sys + MD5: 43bfc857406191963f4f3d9f1b76a7bf + SHA1: 9329a0ce2749a3a6bea2028ce7562d74c417db64 + SHA256: e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b + Authentihash: + MD5: 68fb744e92133e8bb6b59fea9304667c + SHA1: de1a168f24f5da29b9f8bf8333fff57bfa0d21a4 + SHA256: d70bfea03deeea92a253f2b4a8b7181a3064f62c5207f94b5f7ce5a9e62ab4cf + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2016 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - RtlAnsiStringToUnicodeString + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - ExFreePoolWithTag + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: c046d6f14ec39d2a0f67a417bda83c5e + SHA1: 74661f1063b4c80566f75a1bee22c35f7af17fa9 + SHA256: 440eebbdc09d290724d364056ba4e2725c75759819a6df0a1ed5c876ed7d2474 + Sections: + .text: + Entropy: 6.202501650998955 + Virtual Size: '0x38b6' + .rdata: + Entropy: 4.1722432536185465 + Virtual Size: '0x464' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x440' + .pdata: + Entropy: 3.6000408617955837 + Virtual Size: '0xf0' + INIT: + Entropy: 5.116119018385266 + Virtual Size: '0x40e' + .rsrc: + Entropy: 3.38341382722288 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2016-10-05 03:53:07' +- Filename: cpuz.sys + MD5: 8f5b84350bfc4fe3a65d921b4bd0e737 + SHA1: 76046978d8e4409e53d8126a8dcfc3bf8602c37f + SHA256: e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90 + Authentihash: + MD5: 76a420a5ac2a6250c57d129de361695a + SHA1: 3736434ca3094fed9f1f3378e9fb966a5e9411f1 + SHA256: 3e423caaff9002b38e1d90005df181aa2b3711ebbf6d1eb83941656ccc313811 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2010 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft + Software Validation v2, CN=CPUID + ValidFrom: '2012-01-06 00:00:00' + ValidTo: '2015-02-06 23:59:59' + Signature: be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 53c8b54713882d4d5439511804935e + Version: 3 + TBS: + MD5: 49e7946e133b4aaa31899adb235d3fa9 + SHA1: f9f38ec49a6ccb990805be6dda0efa5f7fe8f7e7 + SHA256: 1bb998a806b890e3300be35de0daa1b691fa218ef3d58ee5ec1b43fd34250a74 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 53c8b54713882d4d5439511804935e + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 685a19a8e9f46a76067db83da501dca0 + SHA1: 5f76e4cf5157450837536db016e9981cb41394d2 + SHA256: 1a0c69ff029488d41c7d9413943c28d389016adb26698d9baf02c6f32739d591 + Sections: + .text: + Entropy: 6.214010136736859 + Virtual Size: '0x25d6' + .rdata: + Entropy: 4.171320307410102 + Virtual Size: '0x3ec' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.503621523339014 + Virtual Size: '0xc0' + INIT: + Entropy: 5.076575853289 + Virtual Size: '0x406' + .rsrc: + Entropy: 3.3943730160709853 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2012-02-07 08:44:59' +- Filename: cpuz.sys + MD5: ce57844fb185d0cdd9d3ce9e5b6a891d + SHA1: 32888d789edc91095da2e0a5d6c564c2aebcee68 + SHA256: ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe + Authentihash: + MD5: 649db3854efa0c9a10fdcca1bcc5fc0b + SHA1: 3c738ea73287a493a2254c6011c35f31569cf2b9 + SHA256: 472e29b63e1d9d44269a99962b186113586fbd3603eac3a23c520c7ef73a69cf + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2017 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - RtlAnsiStringToUnicodeString + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - ExFreePoolWithTag + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalGetBusDataByOffset + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: c046d6f14ec39d2a0f67a417bda83c5e + SHA1: 74661f1063b4c80566f75a1bee22c35f7af17fa9 + SHA256: 440eebbdc09d290724d364056ba4e2725c75759819a6df0a1ed5c876ed7d2474 + Sections: + .text: + Entropy: 6.1689591912915125 + Virtual Size: '0x4546' + .rdata: + Entropy: 4.191218153188012 + Virtual Size: '0x534' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x440' + .pdata: + Entropy: 3.6397736740131683 + Virtual Size: '0xfc' + INIT: + Entropy: 5.132100585029012 + Virtual Size: '0x40e' + .rsrc: + Entropy: 3.394946071861716 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2017-05-22 02:17:51' +- Filename: cpuz.sys + MD5: 8ad9dfc971df71cd43788ade6acf8e7d + SHA1: 7241b25c3a3ee9f36b52de3db2fc27db7065af37 + SHA256: f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c + Authentihash: + MD5: fa889613bb0522d6e546e8cbd011105a + SHA1: 62ee17440edaf819966eb823a26dfd46c24447b4 + SHA256: 991228f3ea6c1ae8083aa405d1d066e48cd6dbd7d6bc01c81599b2c28f3923f1 + Description: CPUID Driver + Company: CPUID + InternalName: cpuz.sys + OriginalFilename: cpuz.sys + FileVersion: '6.1.7600.16385 built by: WinDDK' + Product: CPUID service + ProductVersion: 6.1.7600.16385 + Copyright: Copyright(C) 2015 CPUID + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - RtlAnsiStringToUnicodeString + - RtlInitUnicodeString + - IoDeleteDevice + - KeInitializeEvent + - RtlInitAnsiString + - MmUnmapIoSpace + - IoCancelIrp + - RtlFreeUnicodeString + - IoGetDeviceObjectPointer + - ExFreePoolWithTag + - IofCompleteRequest + - KeWaitForSingleObject + - PsGetVersion + - IoCreateSymbolicLink + - ObfDereferenceObject + - IoCreateDevice + - IofCallDriver + - KeBugCheckEx + - IoDeleteSymbolicLink + - IoBuildDeviceIoControlRequest + - MmMapIoSpace + - ExAllocatePoolWithTag + - RtlUnwindEx + - HalSetBusDataByOffset + - KeStallExecutionProcessor + - HalGetBusDataByOffset + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2006-11-08 00:00:00' + ValidTo: '2021-11-07 23:59:59' + Signature: 1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd + Version: 3 + TBS: + MD5: 918d9eb6a6cd36c531eceb926170a7e1 + SHA1: 0ae95700d65e6f59715aa47048993ca7858e676a + SHA256: 47c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + - Subject: C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID + ValidFrom: '2014-12-02 00:00:00' + ValidTo: '2018-03-02 23:59:59' + Signature: a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Version: 3 + TBS: + MD5: 8f8c7ccf1ef7e1ee347f49e8266008ca + SHA1: b856b993df73da9d824aa1e5161788bd10d1e10e + SHA256: 1dd13a417806106c76cfbcd3614fe27a0638d2aaf2731f6a110c05043e34ad91 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 2d8021d84f098e7abde199f818e211a4 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: b3dcf662ce69ad7b34717fb6aecf09a7 + SHA1: 63be2c28ecee71a739bfbaf38466362e998bc5bc + SHA256: f4257b7e95b00b38e446b2708cc342fe32846266064b94c78ec1f987731c2226 + Sections: + .text: + Entropy: 6.1888286192821065 + Virtual Size: '0x30b6' + .rdata: + Entropy: 4.210489806011185 + Virtual Size: '0x424' + .data: + Entropy: 0.378703493487675 + Virtual Size: '0x2c0' + .pdata: + Entropy: 3.6128209941554763 + Virtual Size: '0xd8' + INIT: + Entropy: 5.131854482283732 + Virtual Size: '0x3ea' + .rsrc: + Entropy: 3.3958173868041217 + Virtual Size: '0x350' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2015-11-18 02:58:02' +Tags: +- cpuz.sys diff --git a/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml b/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml index a2be74dd9..b2f680735 100644 --- a/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml +++ b/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 17cf4fac-88f1-467d-9f62-481d33accc5b KnownVulnerableSamples: - Authentihash: diff --git a/yaml/19003e00-d42d-4cbe-91f3-756451bdd7da.yaml b/yaml/19003e00-d42d-4cbe-91f3-756451bdd7da.yaml index 5b075fc4c..69256782e 100644 --- a/yaml/19003e00-d42d-4cbe-91f3-756451bdd7da.yaml +++ b/yaml/19003e00-d42d-4cbe-91f3-756451bdd7da.yaml @@ -11,7 +11,17 @@ Commands: Privileges: kernel Usecase: Elevate privileges Created: '2023-01-09' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 19003e00-d42d-4cbe-91f3-756451bdd7da KnownVulnerableSamples: - Company: '' diff --git a/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml b/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml index f0c504bd2..12ccf749a 100644 --- a/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml +++ b/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 19d16518-4aee-4983-ba89-dbbe0fa8a3e7 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/1aeb1205-8b02-42b6-a563-b953ea337c19.yaml b/yaml/1aeb1205-8b02-42b6-a563-b953ea337c19.yaml index 791b7f404..4da67070b 100644 --- a/yaml/1aeb1205-8b02-42b6-a563-b953ea337c19.yaml +++ b/yaml/1aeb1205-8b02-42b6-a563-b953ea337c19.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 1aeb1205-8b02-42b6-a563-b953ea337c19 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml b/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml index 555af42df..2f2c60d6c 100644 --- a/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml +++ b/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 1c6e1d3b-f825-4065-9e0c-83386883e40f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml b/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml index b6360b4e5..9bea920f8 100644 --- a/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml +++ b/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 1c7631f0-f92f-4be5-8ba7-3eefb0601d45 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml b/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml index ccaf579c9..6b0c12fc4 100644 --- a/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml +++ b/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 1d2cdef1-de44-4849-80e5-e2fa288df681 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml b/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml index b92c4cd04..99915022f 100644 --- a/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml +++ b/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 20076ebf-4427-4056-b035-5238f95debe9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml b/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml index 3728a9632..bdb92823d 100644 --- a/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml +++ b/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 205721b7-b83b-414a-b4b5-8bacb4a37777 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/213676bb-ffb9-4d0d-a442-8cefee63acc1.yaml b/yaml/213676bb-ffb9-4d0d-a442-8cefee63acc1.yaml index 589fd7e58..1f2a70b52 100644 --- a/yaml/213676bb-ffb9-4d0d-a442-8cefee63acc1.yaml +++ b/yaml/213676bb-ffb9-4d0d-a442-8cefee63acc1.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 213676bb-ffb9-4d0d-a442-8cefee63acc1 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/214654eb-90c4-48c8-a183-0157e50bf07f.yml b/yaml/214654eb-90c4-48c8-a183-0157e50bf07f.yml index 761164ba6..ddea7e683 100644 --- a/yaml/214654eb-90c4-48c8-a183-0157e50bf07f.yml +++ b/yaml/214654eb-90c4-48c8-a183-0157e50bf07f.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: MsIo64.sys MD5: 88a6d84f4f1cc188741271ac1999a4e9 diff --git a/yaml/2225128d-a23f-434a-aaee-69a88ea64fbd.yaml b/yaml/2225128d-a23f-434a-aaee-69a88ea64fbd.yaml index 821766a97..9695f506d 100644 --- a/yaml/2225128d-a23f-434a-aaee-69a88ea64fbd.yaml +++ b/yaml/2225128d-a23f-434a-aaee-69a88ea64fbd.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 2225128d-a23f-434a-aaee-69a88ea64fbd KnownVulnerableSamples: - Authentihash: diff --git a/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml b/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml index 74f595ce9..9dcdd2832 100644 --- a/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml +++ b/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 22aa985b-5fdb-4e38-9382-a496220c27ec KnownVulnerableSamples: - Authentihash: diff --git a/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml b/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml index d8a884b04..ace76e1e7 100644 --- a/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml +++ b/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 23f11e19-0776-4dd4-9c9c-7f6b60f8553f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml b/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml index 2d0ffa74a..6e1e17ac0 100644 --- a/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml +++ b/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 24fb7bab-b8c3-46ea-a370-c84d2f0ff614 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7.yml b/yaml/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7.yml index a5de9c4d0..3e33269a8 100644 --- a/yaml/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7.yml +++ b/yaml/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: sfdrvx32.sys MD5: 9f70cd5edcc4efc48ae21e04fb03be9d diff --git a/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml b/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml index 9e69125f0..8d3a9c9b1 100644 --- a/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml +++ b/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 2b949a0d-939f-456a-a34f-4589d7712227 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml b/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml index 358227b46..dea64ef42 100644 --- a/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml +++ b/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml @@ -34,6 +34,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 2bea1bca-753c-4f09-bc9f-566ab0193f4a KnownVulnerableSamples: - Authentihash: diff --git a/yaml/2c3884d3-9e4f-4519-b18b-0969612621bc.yaml b/yaml/2c3884d3-9e4f-4519-b18b-0969612621bc.yaml index 758907517..985a99267 100644 --- a/yaml/2c3884d3-9e4f-4519-b18b-0969612621bc.yaml +++ b/yaml/2c3884d3-9e4f-4519-b18b-0969612621bc.yaml @@ -11,7 +11,17 @@ Commands: Privileges: kernel Usecase: Denial of Service Created: '2023-04-15' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 2c3884d3-9e4f-4519-b18b-0969612621bc KnownVulnerableSamples: - Authentihash: diff --git a/yaml/2d7c96d3-2d6c-44cd-a8a1-5239f571a24a.yml b/yaml/2d7c96d3-2d6c-44cd-a8a1-5239f571a24a.yml index 92a31fa5d..767be82e3 100644 --- a/yaml/2d7c96d3-2d6c-44cd-a8a1-5239f571a24a.yml +++ b/yaml/2d7c96d3-2d6c-44cd-a8a1-5239f571a24a.yml @@ -27,6 +27,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: HW.sys MD5: 3cf7a55ec897cc938aebb8161cb8e74f diff --git a/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml b/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml index b303ae4ee..e6b97b9d3 100644 --- a/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml +++ b/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 2e4fedb0-30ed-400d-b4e1-b2b2004c1607 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9.yml b/yaml/2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9.yml index b601ac77c..5773fe376 100644 --- a/yaml/2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9.yml +++ b/yaml/2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: vmdrv.sys MD5: 6d67da13cf84f15f6797ed929dd8cf5d diff --git a/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml b/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml index bce43b7cb..37f755678 100644 --- a/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml +++ b/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 31686f0e-3748-48c2-be09-fc8f3252e780 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml b/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml index 75f86bc7e..f02c3e8fb 100644 --- a/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml +++ b/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 31797996-6973-402d-a4a0-d01ce51e02c0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml b/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml index 760daa0e8..ed5fb1393 100644 --- a/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml +++ b/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3277cecc-f4b4-4a00-be01-9da83e013bcd KnownVulnerableSamples: - Authentihash: diff --git a/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml b/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml index f2244e160..0891593d3 100644 --- a/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml +++ b/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 32ccd436-eb13-4ab3-83d4-3e5471f4e364 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml b/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml index 0ed1bc54d..a4e5fcbe8 100644 --- a/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml +++ b/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 33a9c9ae-5ca3-442d-9f0f-2615637c1c57 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml b/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml index ada2d42e1..ca16dd352 100644 --- a/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml +++ b/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 351ff5ca-f07b-4eb6-9300-d5d31514defb KnownVulnerableSamples: - Authentihash: diff --git a/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml b/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml index f49728bd9..c6aaa2859 100644 --- a/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml +++ b/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 39742f99-2180-46d7-8538-56667c935cc3 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml b/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml index 23abc8be2..b2ebfdb74 100644 --- a/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml +++ b/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3ab0d182-6365-47a7-89f4-34121e889503 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml b/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml index 429e3cc35..17ad45871 100644 --- a/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml +++ b/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3ac0eda2-a844-4a9d-9cfa-c25a9e05d678 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml b/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml index d0901e255..d84c4caab 100644 --- a/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml +++ b/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3bc629e8-7bf8-40c2-965b-87eb155e0065 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml b/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml index 9669e80fb..291ff436a 100644 --- a/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml +++ b/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3e0bf6dc-791b-4170-8c40-427e7299d93d KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml b/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml index 465bc9165..36e81faa7 100644 --- a/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml +++ b/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3f39af20-802a-4909-a5de-7f6fe7aab350 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml b/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml index e398b6b3d..44b84bf40 100644 --- a/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml +++ b/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 40bfb01b-d251-4c2c-952e-052a89a76f5b KnownVulnerableSamples: - Authentihash: diff --git a/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml b/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml index 03f8d60c4..a8de713a1 100644 --- a/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml +++ b/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 43d0af25-c066-471f-bb73-6ce25dc7e0eb KnownVulnerableSamples: - Authentihash: diff --git a/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml b/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml index 288d706e5..fdb5768bb 100644 --- a/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml +++ b/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 47724cc1-bf75-4ab7-a47a-355a9aa30de1 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml b/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml index 99e37b1ea..cf6e66117 100644 --- a/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml +++ b/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 47a351ee-8abe-40d8-bc2b-557390fa0945 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml b/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml index a0c4c1e89..b982a011e 100644 --- a/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml +++ b/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 47fe1aaf-02cd-4a41-8bf5-0047015a2a6e KnownVulnerableSamples: - Authentihash: diff --git a/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml b/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml index 9eb37c682..f69a65871 100644 --- a/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml +++ b/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 48bc2815-85ec-4436-a51a-69810c8cb171 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml b/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml index 6b20c269d..23c5fb857 100644 --- a/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml +++ b/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 4a80da66-f8f1-4af9-ba56-696cfe6c1e10 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/4bf4b425-10af-4cd4-88e6-beb4b947eb48.yaml b/yaml/4bf4b425-10af-4cd4-88e6-beb4b947eb48.yaml new file mode 100644 index 000000000..ebb84a39a --- /dev/null +++ b/yaml/4bf4b425-10af-4cd4-88e6-beb4b947eb48.yaml @@ -0,0 +1,203 @@ +Id: 4bf4b425-10af-4cd4-88e6-beb4b947eb48 +Author: Michael Haag +Created: '2023-01-09' +MitreID: T1068 +Category: vulnerable driver +Verified: 'FALSE' +Commands: + Command: sc.exe create IObitUnlocker.sys binPath=C:\windows\temp\IObitUnlocker.sys type=kernel + && sc.exe start IObitUnlocker.sys + Description: '' + Usecase: Elevate privileges + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- ' https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules' +- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules +Acknowledgement: + Person: '' + Handle: '' +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004.yara +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +KnownVulnerableSamples: +- Filename: IObitUnlocker.sys + MD5: 2391fb461b061d0e5fccb050d4af7941 + SHA1: 7c6cad6a268230f6e08417d278dda4d66bb00d13 + SHA256: f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004 + Signature: + - IObit CO., LTD + - DigiCert EV Code Signing CA + - DigiCert + Date: '' + Publisher: '' + Company: IObit Information Technology + Description: Unlocker Driver + Product: Unlocker + ProductVersion: 1.3.0.10 + FileVersion: 1.3.0.10 + MachineType: AMD64 + OriginalFilename: IObitUnlocker.sys + Authentihash: + MD5: 751c91ae91cb43aadaeaa1bb187c593a + SHA1: dd220acea885a954085e614b94da2b5bba5c0cc3 + SHA256: e0aff24a54400fe9f86564b8ce9f874e7ff51e96085ff950baff05844cff2bd1 + InternalName: IObitUnlocker.sys + Copyright: "\xA9 IObit. All rights reserved." + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - IoDeleteSymbolicLink + - ExFreePoolWithTag + - IoDeleteDevice + - IofCompleteRequest + - IoCreateSymbolicLink + - IoCreateDevice + - _wcsnicmp + - ZwReadFile + - IoGetRelatedDeviceObject + - MmGetSystemRoutineAddress + - KeInitializeEvent + - ExInterlockedPopEntryList + - KeDelayExecutionThread + - IoFileObjectType + - ZwWaitForSingleObject + - ZwCreateFile + - ExAllocatePool + - IoGetCurrentProcess + - ZwClose + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - RtlCompareUnicodeString + - IoAllocateIrp + - ObfDereferenceObject + - ZwQueryInformationFile + - ZwWriteFile + - ObOpenObjectByPointer + - DbgPrint + - IofCallDriver + - _wcsicmp + - PsGetProcessPeb + - PsLookupProcessByProcessId + - ZwQuerySymbolicLinkObject + - RtlInitUnicodeString + - KeSetEvent + - RtlAppendUnicodeToString + - IoCreateFile + - ZwQuerySystemInformation + - ZwOpenSymbolicLinkObject + - KeUnstackDetachProcess + - ObQueryNameString + - wcsrchr + - ZwQueryDirectoryFile + - _vsnwprintf + - RtlAppendUnicodeStringToString + - ZwDuplicateObject + - IoFreeIrp + - ZwOpenProcess + - PsGetCurrentProcessId + - MmIsAddressValid + - ZwTerminateProcess + - ExInterlockedPushEntryList + - KeStackAttachProcess + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=Sichuan, ??=Wuhou District, Chengdu, ??=Private Organization, + serialNumber=91510107072412418F, C=CN, ST=Sichuan, L=Chengdu, O=IObit CO., + LTD, CN=IObit CO., LTD + ValidFrom: '2019-08-27 00:00:00' + ValidTo: '2022-08-30 12:00:00' + Signature: 89d53256ccf4b2e50a8e05d88de9ed33f6adde16e143a6f7f042ec4ed9220c7c4195b543ad1ae9c5ae5421f192140d62b28449c83a0c31759765c127fed77c447072976f2d5e8d44e07dafbbc5a0cea9e8020081c3f8a22a1519e53d8c69ff3ffbd7e090e92593a738b8bd6d583b27e5e797672294147fd1b8492683b1b3f202c3e0c571f9fad02d95f8204e054fa722ac42bf21e54ec1891942ab339f004ab57cb01838539bf5196fc1579e0add7c42206ff5e10bb0934b4a801fab12ed748a6a858af5c9601296ce6ca9b14b46f731a0485f49f142ab65dacb0103daaee13b2269f2c2b2d2bb2b04abe93642ecc988fa536170194acc1c73d48a781d3d5f0e + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0d98f5df96c592c5b76bfde1cb823096 + Version: 3 + TBS: + MD5: d0ba095f2bdb679cea084b4106479484 + SHA1: 80aba0ecbd2b71c84bc73ac42963bc9ce247a020 + SHA256: a93f8b7111c3e2288e164e42131e2ad52867060479ade1f6e6b3124cde822cfa + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 0d98f5df96c592c5b76bfde1cb823096 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: 35ffa69ed506b3a5d24d6e9c10f88070 + SHA1: a5d21268d58eebe7c8e0921d0079974d8541ffb7 + SHA256: 7068185b0f6869fa20b8c64c2e6f2c3bedc161bc4118e602df47da640013cb62 + Sections: + .text: + Entropy: 6.174805563267683 + Virtual Size: '0x5976' + .rdata: + Entropy: 4.74536885813998 + Virtual Size: '0x644' + .data: + Entropy: 0.8079955727472559 + Virtual Size: '0x170' + .pdata: + Entropy: 4.257735635509842 + Virtual Size: '0x27c' + INIT: + Entropy: 5.202412460125397 + Virtual Size: '0x72a' + .rsrc: + Entropy: 3.2596097351980737 + Virtual Size: '0x370' + .reloc: + Entropy: 1.2987909647818572 + Virtual Size: '0x24' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2022-08-17 02:18:15' +Tags: +- IObitUnlocker.sys diff --git a/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml b/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml index 21b874d3c..5750e31b3 100644 --- a/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml +++ b/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 4d365dd0-34c3-492e-a2bd-c16266796ae5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml b/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml index ef259c91d..ba724ef4e 100644 --- a/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml +++ b/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 4db827b1-325b-444d-9f23-171285a4d12f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/4dd3289c-522c-4fce-b48e-5370efc90fa1.yml b/yaml/4dd3289c-522c-4fce-b48e-5370efc90fa1.yml index 2aa54e5ab..594b5ec9a 100644 --- a/yaml/4dd3289c-522c-4fce-b48e-5370efc90fa1.yml +++ b/yaml/4dd3289c-522c-4fce-b48e-5370efc90fa1.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: iQVW64.SYS MD5: c796a92a66ec725b7b7febbdc13dc69b diff --git a/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml b/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml index 4e8c7c662..2758f4a32 100644 --- a/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml +++ b/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 51c342f3-0b91-4674-8f81-bc016855f30f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml b/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml index c19ed7b98..1d1826b9d 100644 --- a/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml +++ b/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 54d67d79-0268-4c5f-be7e-0f74cd20828a KnownVulnerableSamples: - Authentihash: diff --git a/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml b/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml index 911bda565..e2225dc22 100644 --- a/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml +++ b/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 57f63efb-dc43-4dba-9413-173e3e4be750 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml b/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml index 6f25f7cea..41328208a 100644 --- a/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml +++ b/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 57fc510a-e649-4599-b83e-8f3605e3d1d9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml b/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml index 46f4ce2b2..4d7a14860 100644 --- a/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml +++ b/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5943b267-64f3-40d4-8669-354f23dec122 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5961e133-ccc3-4530-8f4f-5d975c41028d.yaml b/yaml/5961e133-ccc3-4530-8f4f-5d975c41028d.yaml index 2703327f0..670bb3ec9 100644 --- a/yaml/5961e133-ccc3-4530-8f4f-5d975c41028d.yaml +++ b/yaml/5961e133-ccc3-4530-8f4f-5d975c41028d.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5961e133-ccc3-4530-8f4f-5d975c41028d KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml b/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml index 7fcb7efd0..a90f30c3b 100644 --- a/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml +++ b/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5969b6dc-b136-480e-a527-3cb2ea2f0da9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5a03dc5a-115d-4d6f-b5b5-685f4c014a69.yaml b/yaml/5a03dc5a-115d-4d6f-b5b5-685f4c014a69.yaml index 857ea75a2..37274a606 100644 --- a/yaml/5a03dc5a-115d-4d6f-b5b5-685f4c014a69.yaml +++ b/yaml/5a03dc5a-115d-4d6f-b5b5-685f4c014a69.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5a03dc5a-115d-4d6f-b5b5-685f4c014a69 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c.yaml b/yaml/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c.yaml index 7765a88fe..5f496fdf6 100644 --- a/yaml/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c.yaml +++ b/yaml/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml b/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml index b1b3e4725..707491cf3 100644 --- a/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml +++ b/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5af9abf0-d8de-4e9b-8141-e9e97a31901a KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml b/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml index e0d5df2aa..0e22c0af6 100644 --- a/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml +++ b/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae KnownVulnerableSamples: - Authentihash: diff --git a/yaml/613b8509-18c0-4720-b489-736776b6713e.yml b/yaml/613b8509-18c0-4720-b489-736776b6713e.yml index 28e483cf4..f1061a5b2 100644 --- a/yaml/613b8509-18c0-4720-b489-736776b6713e.yml +++ b/yaml/613b8509-18c0-4720-b489-736776b6713e.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: gdrv.sys MD5: b0954711c133d284a171dd560c8f492a diff --git a/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml b/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml index cd681581f..5c0f714cb 100644 --- a/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml +++ b/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 61514cbd-6f34-4a3e-a022-9ecbccc16feb KnownVulnerableSamples: - Authentihash: diff --git a/yaml/66be9e0a-9246-4404-b5b5-7fbde351668f.yml b/yaml/66be9e0a-9246-4404-b5b5-7fbde351668f.yml index 4da20cf2f..868862d7a 100644 --- a/yaml/66be9e0a-9246-4404-b5b5-7fbde351668f.yml +++ b/yaml/66be9e0a-9246-4404-b5b5-7fbde351668f.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BS_I2cIo.sys MD5: 3c4154866f3d483fdc9f4f64ef868888 diff --git a/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml b/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml index 581c116a7..6bb034ca0 100644 --- a/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml +++ b/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 670dc258-78b5-4552-a16b-b41917c86f8d KnownVulnerableSamples: - Authentihash: diff --git a/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml b/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml index 77c7e064f..c93b1c14f 100644 --- a/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml +++ b/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 6a50e368-1120-434b-9232-1a0702c80437 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/6c0c60f0-895d-428a-a8ae-e10390bceb12.yaml b/yaml/6c0c60f0-895d-428a-a8ae-e10390bceb12.yaml index 9474c3769..5c13f083f 100644 --- a/yaml/6c0c60f0-895d-428a-a8ae-e10390bceb12.yaml +++ b/yaml/6c0c60f0-895d-428a-a8ae-e10390bceb12.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 6c0c60f0-895d-428a-a8ae-e10390bceb12 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml b/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml index 45699067a..c42cce057 100644 --- a/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml +++ b/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml @@ -25,6 +25,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 6d21df78-d718-44df-b722-99eec654f5b2 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/6ec5ddda-f302-4008-a73e-12814c1d571f.yml b/yaml/6ec5ddda-f302-4008-a73e-12814c1d571f.yml index f6c2f6364..44f067ff0 100644 --- a/yaml/6ec5ddda-f302-4008-a73e-12814c1d571f.yml +++ b/yaml/6ec5ddda-f302-4008-a73e-12814c1d571f.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ATSZIO.sys MD5: 17b97fbe2e8834d7ad30211635e1b271 diff --git a/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml b/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml index f6f046905..d3dcb4c8a 100644 --- a/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml +++ b/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 6fc3034f-8b40-44ef-807a-f61d3ea2dece KnownVulnerableSamples: - Authentihash: diff --git a/yaml/705facba-b595-41dd-86a6-93aefe6a6234.yaml b/yaml/705facba-b595-41dd-86a6-93aefe6a6234.yaml index dc552ead0..d94828331 100644 --- a/yaml/705facba-b595-41dd-86a6-93aefe6a6234.yaml +++ b/yaml/705facba-b595-41dd-86a6-93aefe6a6234.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 705facba-b595-41dd-86a6-93aefe6a6234 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml b/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml index 057e9a687..b3b78adb0 100644 --- a/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml +++ b/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 70acea34-7ed2-42d5-885c-eca3c2de640c KnownVulnerableSamples: - Authentihash: diff --git a/yaml/70fa8606-c147-4c40-8b7a-980290075327.yaml b/yaml/70fa8606-c147-4c40-8b7a-980290075327.yaml index e4fd03dcc..168f867f7 100644 --- a/yaml/70fa8606-c147-4c40-8b7a-980290075327.yaml +++ b/yaml/70fa8606-c147-4c40-8b7a-980290075327.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 70fa8606-c147-4c40-8b7a-980290075327 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml b/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml index e05c978a0..21e763b7c 100644 --- a/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml +++ b/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 72637cb1-5ca2-4ad0-a5df-20da17b231b5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/73196456-40ae-4b6d-8562-07cf99458a7d.yml b/yaml/73196456-40ae-4b6d-8562-07cf99458a7d.yml index db10636dd..ac3396439 100644 --- a/yaml/73196456-40ae-4b6d-8562-07cf99458a7d.yml +++ b/yaml/73196456-40ae-4b6d-8562-07cf99458a7d.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: kEvP64.sys MD5: 4ff880566f22919ed94ffae215d39da5 diff --git a/yaml/73290fcb-a0d7-481e-81a5-65a9859b50f5.yaml b/yaml/73290fcb-a0d7-481e-81a5-65a9859b50f5.yaml index a0010e688..d8e2f3df1 100644 --- a/yaml/73290fcb-a0d7-481e-81a5-65a9859b50f5.yaml +++ b/yaml/73290fcb-a0d7-481e-81a5-65a9859b50f5.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 73290fcb-a0d7-481e-81a5-65a9859b50f5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml b/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml index a3cd2546e..87d8065f8 100644 --- a/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml +++ b/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 76b5dfae-b384-45ce-8646-b2eec6b76a1e KnownVulnerableSamples: - Authentihash: diff --git a/yaml/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2.yml b/yaml/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2.yml index 5410645e8..1bce372ba 100644 --- a/yaml/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2.yml +++ b/yaml/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: VBoxDrv.sys MD5: b1b8e6b85dd03c7f1290b1a071fc79c1 diff --git a/yaml/7a722cd5-69ec-4680-9f20-9387f249a891.yml b/yaml/7a722cd5-69ec-4680-9f20-9387f249a891.yml new file mode 100644 index 000000000..7e0aa42d9 --- /dev/null +++ b/yaml/7a722cd5-69ec-4680-9f20-9387f249a891.yml @@ -0,0 +1,1784 @@ +Id: 7a722cd5-69ec-4680-9f20-9387f249a891 +Author: Nasreddine Bencherchali +Created: '2023-05-06' +MitreID: T1068 +Category: vulnerable driver +Verified: 'TRUE' +Commands: + Command: sc.exe create ElbyCDIO.sys binPath=C:\windows\temp\ElbyCDIO.sys type=kernel + && sc.exe start ElbyCDIO.sys + Description: '' + Usecase: Elevate privileges + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- Internal Research +Acknowledgement: + Person: [] + Handle: '' +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +KnownVulnerableSamples: +- Filename: ElbyCDIO.sys + MD5: 702d5606cf2199e0edea6f0e0d27cd10 + SHA1: 879e327292616c56bd4aafc279fbda6cc393b74d + SHA256: 238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4 + Authentihash: + MD5: 350ab25a105b2fee583f1b903d48788e + SHA1: 23a6345ab41ff68e31cef025de23cc8c81c90725 + SHA256: 86236392bb2cc77100bd83d34a30e3fb60aa727d0b11c147a838d9a205bae80e + Description: ElbyCD Windows x64 I/O driver + Company: Elaborate Bytes AG + InternalName: ElbyCDIO + OriginalFilename: ElbyCDIO.sys + FileVersion: 6, 0, 3, 2 + Product: CDRTools + ProductVersion: 6, 0, 0, 0 + Copyright: Copyright (C) 2000 - 2009 Elaborate Bytes AG + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - KeAcquireSpinLockRaiseToDpc + - KeReleaseSpinLock + - KeWaitForSingleObject + - KeReleaseMutex + - __C_specific_handler + - ProbeForRead + - ProbeForWrite + - ZwReadFile + - ZwWriteFile + - ZwCreateFile + - RtlInitUnicodeString + - swprintf + - ZwQueryVolumeInformationFile + - ZwOpenFile + - ZwClose + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - PsTerminateSystemThread + - ZwSetInformationThread + - ObfDereferenceObject + - ObReferenceObjectByHandle + - PsCreateSystemThread + - KeInitializeEvent + - PsGetCurrentProcessId + - IofCompleteRequest + - KeInitializeMutex + - ExAllocatePool + - ExFreePool + - RtlFreeUnicodeString + - RtlAnsiStringToUnicodeString + - RtlInitAnsiString + - IoDeleteSymbolicLink + - IoDeleteDevice + - IofCallDriver + - IoBuildDeviceIoControlRequest + - IoCreateSymbolicLink + - IoCreateDevice + - KeBugCheckEx + - KeSetEvent + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign + Primary Object Publishing CA + ValidFrom: '1999-01-28 12:00:00' + ValidTo: '2014-01-27 11:00:00' + Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9611cd6 + Version: 3 + TBS: + MD5: 698f075151097d84c0b1f3e7bc3d6fca + SHA1: 041750993d7c9e063f02dfe74699598640911aab + SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 + - Subject: C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch + ValidFrom: '2008-12-23 13:26:11' + ValidTo: '2011-12-23 13:26:11' + Signature: 5a634dbf49c9d1dbe5ed4b484689b4f95ee13686141c393683a1decdc986cf94613342607a120df492112daaa92fd772bbbcb1c0f14cec7c0c20304c92d62508859c387138f2d145dbcc54c561f1b9dd73d3686ae3859ea986e4f539db7495a64b551b60d6f976ae6075ca3f6dbe1187b875ee267784b5baefaa850078595fb8b1c8944c9c3da355a802ebc52eacb9bdffdd57b0aae5f49c02c5ae6505b7ca1afb2b29e39374eab8bf1e643c3e1c8240dc113ceb078c70a401e92d0610538eaed48e291cad84635d6100930c8e7b9801323490e4f3e58d9f9fea04843f06633f8b8a8774d2b679be008d1d92bb31815f8f01c5e08144ed9574a605b245de2ba7 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0100000000011e643e96d0 + Version: 3 + TBS: + MD5: f39798a2df6dda6c76b4697e743c8b80 + SHA1: d97d9f0d2cad2881eda58fa0467cff6396be6408 + SHA256: 5086b06e5d91585b5a110b3ec4048ce6a43a58e4fc7eb8aa99c391af5b2f8d9f + - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + ValidFrom: '2004-01-22 09:00:00' + ValidTo: '2014-01-27 10:00:00' + Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9612448 + Version: 3 + TBS: + MD5: 2fc76031fc24eec1ef3db2d246d21d6a + SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d + SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + Signer: + - SerialNumber: 0100000000011e643e96d0 + Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + Version: 1 + RichPEHeaderHash: + MD5: 19c3041e63a42fad9800c3d4098a28a7 + SHA1: 083ef31132cacb2ead9d826d90646517ca732570 + SHA256: 3829fddcb11b40682e3936be4c0f376d99a9caf02692368aef98332f68ce80e8 + Sections: + .text: + Entropy: 6.236432237090433 + Virtual Size: '0x3b02' + .rdata: + Entropy: 6.243435646899353 + Virtual Size: '0xb78' + .data: + Entropy: 0.5159719988134768 + Virtual Size: '0x110' + .pdata: + Entropy: 4.200185461485669 + Virtual Size: '0x30c' + INIT: + Entropy: 5.002469637112522 + Virtual Size: '0x562' + .rsrc: + Entropy: 3.322459175866386 + Virtual Size: '0x4a8' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2009-02-17 10:11:23' +- Filename: ElbyCDIO.sys + MD5: 945ef111161bae49075107e5bc11a23f + SHA1: ea37a4241fa4d92c168d052c4e095ccd22a83080 + SHA256: 2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445 + Authentihash: + MD5: 5560e048b895a592a481f9340852e3cd + SHA1: 1e73dbe3d0bed9def62c1f76a0c58aa6c61e8f74 + SHA256: d378162a47648bed192270ab4ddd67c99b4ebe8093a267fa1fe1e092559504b0 + Description: ElbyCD Windows NT/2000/XP I/O driver + Company: Elaborate Bytes AG + InternalName: ElbyCDIO + OriginalFilename: ElbyCDIO.sys + FileVersion: 6, 0, 0, 2 + Product: CDRTools + ProductVersion: 6, 0, 0, 0 + Copyright: Copyright (C) 2000 - 2007 Elaborate Bytes AG + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - KeWaitForSingleObject + - RtlFreeUnicodeString + - ZwCreateFile + - RtlAnsiStringToUnicodeString + - RtlInitAnsiString + - ZwCreateKey + - ZwOpenKey + - IoDeleteSymbolicLink + - RtlInitUnicodeString + - IoDeleteDevice + - IofCallDriver + - IoBuildDeviceIoControlRequest + - KeInitializeEvent + - IoFreeMdl + - MmUnlockPages + - KeReleaseMutex + - MmProbeAndLockPages + - IoAllocateMdl + - ExFreePool + - ObfDereferenceObject + - ObReferenceObjectByHandle + - ExAllocatePool + - ZwDeleteKey + - ZwClose + - ZwDeviceIoControlFile + - IoCreateSymbolicLink + - KeInitializeMutex + - IoCreateDevice + - RtlUnwind + - KeTickCount + - MmMapLockedPages + - IofCompleteRequest + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch + ValidFrom: '2006-12-07 11:07:29' + ValidTo: '2008-12-07 11:07:29' + Signature: 312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0100000000010f5c98b8f5 + Version: 3 + TBS: + MD5: 832074a51bea8e4758c8dfeb2e96ad84 + SHA1: 04ba895ed074635a01875a1f25da93e2e2cbbfba + SHA256: c5ba90a16c07cee0cb480ee21c9bedaf3ea4cbe004589b74fb9c2c0bedbc7c1b + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign + Primary Object Publishing CA + ValidFrom: '1999-01-28 12:00:00' + ValidTo: '2014-01-27 11:00:00' + Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9611cd6 + Version: 3 + TBS: + MD5: 698f075151097d84c0b1f3e7bc3d6fca + SHA1: 041750993d7c9e063f02dfe74699598640911aab + SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2008-12-03 23:59:59' + Signature: 877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0de92bf0d4d82988183205095e9a7688 + Version: 3 + TBS: + MD5: 45c204b8a20f6abb0188d2d38a3fb0c9 + SHA1: cdf3a3c5c2eda4c29621f30fd3154f9f8c765739 + SHA256: e32839dddc0f4ed2474efaf37f59d46db400c700fd19533cb0895a111124bc77 + - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + ValidFrom: '2004-01-22 09:00:00' + ValidTo: '2014-01-27 10:00:00' + Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9612448 + Version: 3 + TBS: + MD5: 2fc76031fc24eec1ef3db2d246d21d6a + SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d + SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + Signer: + - SerialNumber: 0100000000010f5c98b8f5 + Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + Version: 1 + RichPEHeaderHash: + MD5: c15e20cb179a835c6a295f891d4f43f6 + SHA1: fb716dec77e711df26bca8c29284c5c21c92a808 + SHA256: 626b9fbb41fcf7bc7185e02b6d4ca83f5070929c4645876c4b19aa50765655e1 + Sections: + .text: + Entropy: 6.014899913315142 + Virtual Size: '0xe10' + .rdata: + Entropy: 3.9543650485820954 + Virtual Size: '0x178' + .data: + Entropy: 1.9182958340544898 + Virtual Size: '0x18' + INIT: + Entropy: 5.282185901600035 + Virtual Size: '0x3a0' + .rsrc: + Entropy: 3.3264202882353087 + Virtual Size: '0x4d8' + .reloc: + Entropy: 4.897249100220145 + Virtual Size: '0x134' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2007-02-28 13:56:05' +- Filename: ElbyCDIO.sys + MD5: 24fe18891c173a7c76426d08d2b0630e + SHA1: f640c94e71921479cc48d06b59aba41ffa50a769 + SHA256: 5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185 + Authentihash: + MD5: 46eca1eab6ab83208b56787f55ed4117 + SHA1: 1b62759087cbe7f5f9a82477bc2f2b19bb51f41d + SHA256: e35d09a903d76810830aff2fc87bb3071026d982a334b3ee4c68f66cba865109 + Description: ElbyCD Windows NT/2000/XP I/O driver + Company: Elaborate Bytes AG + InternalName: ElbyCDIO + OriginalFilename: ElbyCDIO.sys + FileVersion: 6, 0, 1, 1 + Product: CDRTools + ProductVersion: 6, 0, 0, 0 + Copyright: Copyright (C) 2000 - 2008 Elaborate Bytes AG + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - ZwWriteFile + - ZwCreateFile + - RtlInitUnicodeString + - swprintf + - ZwQueryVolumeInformationFile + - ZwOpenFile + - ZwClose + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - PsTerminateSystemThread + - ZwSetInformationThread + - KeWaitForSingleObject + - KeSetEvent + - ObfDereferenceObject + - ObReferenceObjectByHandle + - PsCreateSystemThread + - KeInitializeEvent + - KeReleaseMutex + - PsGetCurrentProcessId + - IofCompleteRequest + - KeInitializeMutex + - ZwReadFile + - RtlFreeUnicodeString + - RtlAnsiStringToUnicodeString + - RtlInitAnsiString + - ZwCreateKey + - ZwOpenKey + - IoDeleteSymbolicLink + - IoDeleteDevice + - IofCallDriver + - IoBuildDeviceIoControlRequest + - IoFreeMdl + - MmUnlockPages + - MmMapLockedPages + - MmProbeAndLockPages + - IoAllocateMdl + - _except_handler3 + - ZwDeleteKey + - ZwDeviceIoControlFile + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - KeInitializeSpinLock + - ExFreePool + - ExAllocatePool + - KfReleaseSpinLock + - KfAcquireSpinLock + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch + ValidFrom: '2006-12-07 11:07:29' + ValidTo: '2008-12-07 11:07:29' + Signature: 312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0100000000010f5c98b8f5 + Version: 3 + TBS: + MD5: 832074a51bea8e4758c8dfeb2e96ad84 + SHA1: 04ba895ed074635a01875a1f25da93e2e2cbbfba + SHA256: c5ba90a16c07cee0cb480ee21c9bedaf3ea4cbe004589b74fb9c2c0bedbc7c1b + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign + Primary Object Publishing CA + ValidFrom: '1999-01-28 12:00:00' + ValidTo: '2014-01-27 11:00:00' + Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9611cd6 + Version: 3 + TBS: + MD5: 698f075151097d84c0b1f3e7bc3d6fca + SHA1: 041750993d7c9e063f02dfe74699598640911aab + SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 + - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + ValidFrom: '2004-01-22 09:00:00' + ValidTo: '2014-01-27 10:00:00' + Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9612448 + Version: 3 + TBS: + MD5: 2fc76031fc24eec1ef3db2d246d21d6a + SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d + SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + Signer: + - SerialNumber: 0100000000010f5c98b8f5 + Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + Version: 1 + RichPEHeaderHash: + MD5: 27082193599c13d88cd3571465c0869f + SHA1: 0ca5abc904d8a25537355902fe3e897263b7c780 + SHA256: 345dc7d1b4b40f3ae817e86ae8a68038f88f5c21c8c34876e2f0c320a681e724 + Sections: + .text: + Entropy: 6.424057457116316 + Virtual Size: '0x2bf0' + .rdata: + Entropy: 7.160715749285086 + Virtual Size: '0x5d4' + .data: + Entropy: 2.0 + Virtual Size: '0x4' + INIT: + Entropy: 5.4154107889213075 + Virtual Size: '0x538' + .rsrc: + Entropy: 3.332445756647145 + Virtual Size: '0x4d8' + .reloc: + Entropy: 5.01593937139053 + Virtual Size: '0x1c2' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2008-07-16 14:59:48' +- Filename: ElbyCDIO.sys + MD5: aaa8999a169e39fb8b48ae49cd6ac30a + SHA1: 2eeab9786dac3f5f69e642f6e29f4e4819038551 + SHA256: 8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60 + Authentihash: + MD5: efa9728ff65fc5bd690400a9a6252642 + SHA1: b827692fe57b0b51f7671d55c0a5dd6446342acd + SHA256: 911541d26b605a97ba099563b9eb7e027c102f139dba5884a57df5a13cf3dcef + Description: ElbyCD Windows NT/2000/XP I/O driver + Company: Elaborate Bytes AG + InternalName: ElbyCDIO + OriginalFilename: ElbyCDIO.sys + FileVersion: 6, 0, 1, 0 + Product: CDRTools + ProductVersion: 6, 0, 0, 0 + Copyright: Copyright (C) 2000 - 2007 Elaborate Bytes AG + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - ZwWriteFile + - ZwClose + - ZwSetInformationFile + - ZwQueryInformationFile + - ZwOpenFile + - RtlInitUnicodeString + - ZwCreateFile + - ZwCreateKey + - swprintf + - ZwQueryVolumeInformationFile + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - ZwQueryValueKey + - ZwOpenKey + - ZwSetValueKey + - ZwSetInformationThread + - PsTerminateSystemThread + - KeWaitForSingleObject + - KeSetEvent + - ObfDereferenceObject + - ObReferenceObjectByHandle + - PsCreateSystemThread + - KeInitializeEvent + - ZwReadFile + - PsGetCurrentProcessId + - IofCompleteRequest + - KeInitializeMutex + - ExAllocatePool + - RtlFreeUnicodeString + - RtlAnsiStringToUnicodeString + - RtlInitAnsiString + - IoDeleteSymbolicLink + - IoDeleteDevice + - IofCallDriver + - IoBuildDeviceIoControlRequest + - IoFreeMdl + - MmUnlockPages + - MmMapLockedPages + - MmProbeAndLockPages + - IoAllocateMdl + - _except_handler3 + - ZwDeleteKey + - ZwDeviceIoControlFile + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - KeInitializeSpinLock + - ExFreePool + - KeReleaseMutex + - KfReleaseSpinLock + - KfAcquireSpinLock + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch + ValidFrom: '2006-12-07 11:07:29' + ValidTo: '2008-12-07 11:07:29' + Signature: 312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0100000000010f5c98b8f5 + Version: 3 + TBS: + MD5: 832074a51bea8e4758c8dfeb2e96ad84 + SHA1: 04ba895ed074635a01875a1f25da93e2e2cbbfba + SHA256: c5ba90a16c07cee0cb480ee21c9bedaf3ea4cbe004589b74fb9c2c0bedbc7c1b + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign + Primary Object Publishing CA + ValidFrom: '1999-01-28 12:00:00' + ValidTo: '2014-01-27 11:00:00' + Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9611cd6 + Version: 3 + TBS: + MD5: 698f075151097d84c0b1f3e7bc3d6fca + SHA1: 041750993d7c9e063f02dfe74699598640911aab + SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 + - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + ValidFrom: '2004-01-22 09:00:00' + ValidTo: '2014-01-27 10:00:00' + Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9612448 + Version: 3 + TBS: + MD5: 2fc76031fc24eec1ef3db2d246d21d6a + SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d + SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + Signer: + - SerialNumber: 0100000000010f5c98b8f5 + Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + Version: 1 + RichPEHeaderHash: + MD5: 2bd828d8b8ded8e0c78b284e2297acf9 + SHA1: 2ab50048d7b02cbbbffdf54058b0df8f317c21af + SHA256: 56c02208d99c7edffe52c78ded19f95263f6e97639c8f4c6497ebf2191a732fd + Sections: + .text: + Entropy: 6.372399086395989 + Virtual Size: '0x2e68' + .rdata: + Entropy: 7.130199720860538 + Virtual Size: '0x5e4' + .data: + Entropy: 2.0 + Virtual Size: '0x4' + INIT: + Entropy: 5.4063363613622535 + Virtual Size: '0x59c' + .rsrc: + Entropy: 3.323528167515758 + Virtual Size: '0x4d8' + .reloc: + Entropy: 5.105327103742467 + Virtual Size: '0x1f0' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2007-08-07 13:48:32' +- Filename: ElbyCDIO.sys + MD5: d21fba3d09e5b060bd08796916166218 + SHA1: caa0cb48368542a54949be18475d45b342fb76e5 + SHA256: 82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989 + Authentihash: + MD5: 2b8c47b3e15625119ef7576646fdefda + SHA1: 5ad820b5cac4e44ded1534169631e7d3fc8547d1 + SHA256: 8907c476440abdd7f71feb068443a7c9736aa6bf625dfb8b6931c46341aa4abf + Description: ElbyCD Windows NT/2000/XP I/O driver + Company: Elaborate Bytes AG + InternalName: ElbyCDIO + OriginalFilename: ElbyCDIO.sys + FileVersion: 6, 0, 0, 7 + Product: CDRTools + ProductVersion: 6, 0, 0, 0 + Copyright: Copyright (C) 2000 - 2007 Elaborate Bytes AG + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - ZwWriteFile + - ZwClose + - ZwSetInformationFile + - ZwQueryInformationFile + - ZwOpenFile + - RtlInitUnicodeString + - ZwCreateFile + - ZwOpenKey + - swprintf + - ZwQueryVolumeInformationFile + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - PsTerminateSystemThread + - ZwQueryInformationProcess + - ZwSetInformationThread + - KeReleaseMutex + - ObfDereferenceObject + - KeWaitForMultipleObjects + - PsCreateSystemThread + - KeWaitForSingleObject + - ObReferenceObjectByHandle + - ZwOpenProcess + - KeSetEvent + - KeInitializeEvent + - ZwReadFile + - IofCompleteRequest + - KeInitializeMutex + - ExAllocatePool + - RtlFreeUnicodeString + - RtlAnsiStringToUnicodeString + - RtlInitAnsiString + - ZwCreateKey + - IoDeleteSymbolicLink + - IoDeleteDevice + - IofCallDriver + - IoBuildDeviceIoControlRequest + - IoFreeMdl + - MmUnlockPages + - MmMapLockedPages + - MmProbeAndLockPages + - IoAllocateMdl + - _except_handler3 + - ZwDeleteKey + - ZwDeviceIoControlFile + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - KeInitializeSpinLock + - ExFreePool + - PsGetCurrentProcessId + - KfReleaseSpinLock + - KfAcquireSpinLock + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch + ValidFrom: '2006-12-07 11:07:29' + ValidTo: '2008-12-07 11:07:29' + Signature: 312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0100000000010f5c98b8f5 + Version: 3 + TBS: + MD5: 832074a51bea8e4758c8dfeb2e96ad84 + SHA1: 04ba895ed074635a01875a1f25da93e2e2cbbfba + SHA256: c5ba90a16c07cee0cb480ee21c9bedaf3ea4cbe004589b74fb9c2c0bedbc7c1b + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign + Primary Object Publishing CA + ValidFrom: '1999-01-28 12:00:00' + ValidTo: '2014-01-27 11:00:00' + Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9611cd6 + Version: 3 + TBS: + MD5: 698f075151097d84c0b1f3e7bc3d6fca + SHA1: 041750993d7c9e063f02dfe74699598640911aab + SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 + - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + ValidFrom: '2004-01-22 09:00:00' + ValidTo: '2014-01-27 10:00:00' + Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9612448 + Version: 3 + TBS: + MD5: 2fc76031fc24eec1ef3db2d246d21d6a + SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d + SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + Signer: + - SerialNumber: 0100000000010f5c98b8f5 + Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + Version: 1 + RichPEHeaderHash: + MD5: 589450fa6c6213445bb9aa901c944d47 + SHA1: de49771e01d34ce6f4663a14eea50c9f509ab899 + SHA256: 9e7a40176c4bb2dc5645359adf4e7252cab1ba935e18e191db2889044dc6c13d + Sections: + .text: + Entropy: 6.418688362028714 + Virtual Size: '0x2f68' + .rdata: + Entropy: 7.152099793791149 + Virtual Size: '0x5e4' + .data: + Entropy: 2.0 + Virtual Size: '0x4' + INIT: + Entropy: 5.406740545618571 + Virtual Size: '0x5c6' + .rsrc: + Entropy: 3.328147473275693 + Virtual Size: '0x4d8' + .reloc: + Entropy: 5.197766729983576 + Virtual Size: '0x20c' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2007-08-01 15:38:24' +- Filename: ElbyCDIO.sys + MD5: b5326548762bfaae7a42d5b0898dfeac + SHA1: f3029dba668285aac04117273599ac12a94a3564 + SHA256: 8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00 + Authentihash: + MD5: fc16498ddf3716e03fdd527c456ea80b + SHA1: 7436e16cf348558015593cbf5ab9c117d97738cc + SHA256: a3cf1a6edd205e04653b4338c077072ee753cde0a692490ecaf7afde27df5f0b + Description: ElbyCD Windows NT/2000/XP I/O driver + Company: Elaborate Bytes AG + InternalName: ElbyCDIO + OriginalFilename: ElbyCDIO.sys + FileVersion: 6, 0, 0, 1 + Product: CDRTools + ProductVersion: 6, 0, 0, 0 + Copyright: Copyright (C) 2000 - 2006 Elaborate Bytes AG + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - KeWaitForSingleObject + - RtlFreeUnicodeString + - ZwCreateFile + - RtlAnsiStringToUnicodeString + - RtlInitAnsiString + - ZwCreateKey + - ZwOpenKey + - IoDeleteSymbolicLink + - RtlInitUnicodeString + - IoDeleteDevice + - IofCallDriver + - IoBuildDeviceIoControlRequest + - KeInitializeEvent + - IoFreeMdl + - MmUnlockPages + - KeReleaseMutex + - MmProbeAndLockPages + - IoAllocateMdl + - ExFreePool + - ObfDereferenceObject + - ObReferenceObjectByHandle + - ExAllocatePool + - ZwDeleteKey + - ZwClose + - ZwDeviceIoControlFile + - IoCreateSymbolicLink + - KeInitializeMutex + - IoCreateDevice + - RtlUnwind + - KeTickCount + - MmMapLockedPages + - IofCompleteRequest + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch + ValidFrom: '2006-12-07 11:07:29' + ValidTo: '2008-12-07 11:07:29' + Signature: 312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0100000000010f5c98b8f5 + Version: 3 + TBS: + MD5: 832074a51bea8e4758c8dfeb2e96ad84 + SHA1: 04ba895ed074635a01875a1f25da93e2e2cbbfba + SHA256: c5ba90a16c07cee0cb480ee21c9bedaf3ea4cbe004589b74fb9c2c0bedbc7c1b + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign + Primary Object Publishing CA + ValidFrom: '1999-01-28 12:00:00' + ValidTo: '2014-01-27 11:00:00' + Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9611cd6 + Version: 3 + TBS: + MD5: 698f075151097d84c0b1f3e7bc3d6fca + SHA1: 041750993d7c9e063f02dfe74699598640911aab + SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2008-12-03 23:59:59' + Signature: 877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0de92bf0d4d82988183205095e9a7688 + Version: 3 + TBS: + MD5: 45c204b8a20f6abb0188d2d38a3fb0c9 + SHA1: cdf3a3c5c2eda4c29621f30fd3154f9f8c765739 + SHA256: e32839dddc0f4ed2474efaf37f59d46db400c700fd19533cb0895a111124bc77 + - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + ValidFrom: '2004-01-22 09:00:00' + ValidTo: '2014-01-27 10:00:00' + Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9612448 + Version: 3 + TBS: + MD5: 2fc76031fc24eec1ef3db2d246d21d6a + SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d + SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + Signer: + - SerialNumber: 0100000000010f5c98b8f5 + Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + Version: 1 + RichPEHeaderHash: + MD5: c15e20cb179a835c6a295f891d4f43f6 + SHA1: fb716dec77e711df26bca8c29284c5c21c92a808 + SHA256: 626b9fbb41fcf7bc7185e02b6d4ca83f5070929c4645876c4b19aa50765655e1 + Sections: + .text: + Entropy: 6.0145723403420055 + Virtual Size: '0xe10' + .rdata: + Entropy: 3.950676692337647 + Virtual Size: '0x178' + .data: + Entropy: 1.9182958340544898 + Virtual Size: '0x18' + INIT: + Entropy: 5.282185901600035 + Virtual Size: '0x3a0' + .rsrc: + Entropy: 3.322524044533632 + Virtual Size: '0x4d8' + .reloc: + Entropy: 4.897249100220145 + Virtual Size: '0x134' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2006-12-12 15:48:53' +- Filename: ElbyCDIO.sys + MD5: e9ccb6bac8715918a2ac35d8f0b4e1e6 + SHA1: 9feacc95d30107ce3e1e9a491e2c12d73eef2979 + SHA256: 9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d + Authentihash: + MD5: b5cb05a635b6932ea1f7c0ee35592e37 + SHA1: e8dc3aa48d494fb2bc096523e11859afdd18b10a + SHA256: e85d36ca271c4d65abc1cdfff0e629dc5d14edb5bf97669badbb40d2715c1d47 + Description: ElbyCD Windows x64 I/O driver + Company: Elaborate Bytes AG + InternalName: ElbyCDIO + OriginalFilename: ElbyCDIO.sys + FileVersion: 6, 0, 1, 1 + Product: CDRTools + ProductVersion: 6, 0, 0, 0 + Copyright: Copyright (C) 2000 - 2008 Elaborate Bytes AG + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - KeAcquireSpinLockRaiseToDpc + - KeReleaseSpinLock + - ZwReadFile + - ZwWriteFile + - ZwCreateFile + - RtlInitUnicodeString + - swprintf + - ZwQueryVolumeInformationFile + - ZwOpenFile + - ZwClose + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - PsTerminateSystemThread + - ZwSetInformationThread + - KeWaitForSingleObject + - KeSetEvent + - ObfDereferenceObject + - ObReferenceObjectByHandle + - PsCreateSystemThread + - KeInitializeEvent + - KeReleaseMutex + - PsGetCurrentProcessId + - IofCompleteRequest + - ExAllocatePool + - ExFreePool + - RtlFreeUnicodeString + - RtlAnsiStringToUnicodeString + - RtlInitAnsiString + - ZwCreateKey + - ZwOpenKey + - IoDeleteSymbolicLink + - IoDeleteDevice + - IofCallDriver + - IoBuildDeviceIoControlRequest + - __C_specific_handler + - IoFreeMdl + - MmUnlockPages + - MmMapLockedPages + - MmProbeAndLockPages + - IoAllocateMdl + - ZwDeviceIoControlFile + - ZwDeleteKey + - IoCreateSymbolicLink + - IoCreateDevice + - KeBugCheckEx + - KeInitializeMutex + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch + ValidFrom: '2006-12-07 11:07:29' + ValidTo: '2008-12-07 11:07:29' + Signature: 312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0100000000010f5c98b8f5 + Version: 3 + TBS: + MD5: 832074a51bea8e4758c8dfeb2e96ad84 + SHA1: 04ba895ed074635a01875a1f25da93e2e2cbbfba + SHA256: c5ba90a16c07cee0cb480ee21c9bedaf3ea4cbe004589b74fb9c2c0bedbc7c1b + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign + Primary Object Publishing CA + ValidFrom: '1999-01-28 12:00:00' + ValidTo: '2014-01-27 11:00:00' + Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9611cd6 + Version: 3 + TBS: + MD5: 698f075151097d84c0b1f3e7bc3d6fca + SHA1: 041750993d7c9e063f02dfe74699598640911aab + SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 + - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + ValidFrom: '2004-01-22 09:00:00' + ValidTo: '2014-01-27 10:00:00' + Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9612448 + Version: 3 + TBS: + MD5: 2fc76031fc24eec1ef3db2d246d21d6a + SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d + SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + Signer: + - SerialNumber: 0100000000010f5c98b8f5 + Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + Version: 1 + RichPEHeaderHash: + MD5: add874dc7800e93a88bff903834a5d72 + SHA1: ed0bb5ae3434fbd499bdb7a1a42a5bae1a47966d + SHA256: ef169f60c3155370805f35d7174379ea25c0fb03402cce2957e3af2bcc70690b + Sections: + .text: + Entropy: 6.208771681315594 + Virtual Size: '0x3c52' + .rdata: + Entropy: 6.179147948380344 + Virtual Size: '0xb78' + .data: + Entropy: 0.5159719988134768 + Virtual Size: '0x110' + .pdata: + Entropy: 4.160152730018761 + Virtual Size: '0x2e8' + INIT: + Entropy: 5.032885005168776 + Virtual Size: '0x610' + .rsrc: + Entropy: 3.3171665901498995 + Virtual Size: '0x4a8' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2008-07-16 14:59:51' +- Filename: ElbyCDIO.sys + MD5: 28cb0b64134ad62c2acf77db8501a619 + SHA1: 5742ad3d30bd34c0c26c466ac6475a2b832ad59e + SHA256: ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47 + Authentihash: + MD5: 47a02497d57e9ffa7ab2490d15a0bf90 + SHA1: da00f69b9d1e4a997094651f4af2c0faad653a10 + SHA256: c1bbe628f79528417ea741dfad2f589fc4e5c62152e632a89ed080da029d5384 + Description: ElbyCD Windows NT/2000/XP I/O driver + Company: Elaborate Bytes AG + InternalName: ElbyCDIO + OriginalFilename: ElbyCDIO.sys + FileVersion: 6, 0, 1, 2 + Product: CDRTools + ProductVersion: 6, 0, 0, 0 + Copyright: Copyright (C) 2000 - 2008 Elaborate Bytes AG + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - ZwWriteFile + - ZwCreateFile + - RtlInitUnicodeString + - swprintf + - ZwQueryVolumeInformationFile + - ZwOpenFile + - ZwClose + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - PsTerminateSystemThread + - KeWaitForSingleObject + - ZwSetInformationThread + - KeSetEvent + - ObfDereferenceObject + - ObReferenceObjectByHandle + - PsCreateSystemThread + - KeInitializeEvent + - KeReleaseMutex + - PsGetCurrentProcessId + - IofCompleteRequest + - KeInitializeMutex + - ZwReadFile + - RtlFreeUnicodeString + - RtlAnsiStringToUnicodeString + - RtlInitAnsiString + - ZwCreateKey + - ZwOpenKey + - IoDeleteSymbolicLink + - IoDeleteDevice + - IofCallDriver + - IoBuildDeviceIoControlRequest + - IoFreeMdl + - MmUnlockPages + - MmMapLockedPages + - MmProbeAndLockPages + - IoAllocateMdl + - _except_handler3 + - ZwDeleteKey + - ZwDeviceIoControlFile + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - KeInitializeSpinLock + - ExFreePool + - ExAllocatePool + - KfReleaseSpinLock + - KfAcquireSpinLock + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch + ValidFrom: '2006-12-07 11:07:29' + ValidTo: '2008-12-07 11:07:29' + Signature: 312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0100000000010f5c98b8f5 + Version: 3 + TBS: + MD5: 832074a51bea8e4758c8dfeb2e96ad84 + SHA1: 04ba895ed074635a01875a1f25da93e2e2cbbfba + SHA256: c5ba90a16c07cee0cb480ee21c9bedaf3ea4cbe004589b74fb9c2c0bedbc7c1b + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign + Primary Object Publishing CA + ValidFrom: '1999-01-28 12:00:00' + ValidTo: '2014-01-27 11:00:00' + Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9611cd6 + Version: 3 + TBS: + MD5: 698f075151097d84c0b1f3e7bc3d6fca + SHA1: 041750993d7c9e063f02dfe74699598640911aab + SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 + - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + ValidFrom: '2004-01-22 09:00:00' + ValidTo: '2014-01-27 10:00:00' + Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9612448 + Version: 3 + TBS: + MD5: 2fc76031fc24eec1ef3db2d246d21d6a + SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d + SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + Signer: + - SerialNumber: 0100000000010f5c98b8f5 + Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + Version: 1 + RichPEHeaderHash: + MD5: 27082193599c13d88cd3571465c0869f + SHA1: 0ca5abc904d8a25537355902fe3e897263b7c780 + SHA256: 345dc7d1b4b40f3ae817e86ae8a68038f88f5c21c8c34876e2f0c320a681e724 + Sections: + .text: + Entropy: 6.423559104609518 + Virtual Size: '0x2bf4' + .rdata: + Entropy: 7.167113007266431 + Virtual Size: '0x5d4' + .data: + Entropy: 2.0 + Virtual Size: '0x4' + INIT: + Entropy: 5.419300948032812 + Virtual Size: '0x538' + .rsrc: + Entropy: 3.3353960748169276 + Virtual Size: '0x4d8' + .reloc: + Entropy: 4.982180549430246 + Virtual Size: '0x1c4' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2008-07-21 06:11:57' +- Filename: ElbyCDIO.sys + MD5: f141db170bb4c6e088f30ddc58404ad3 + SHA1: 34b0f1b2038a1572ee6381022a24333357b033c4 + SHA256: c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9 + Authentihash: + MD5: fc16498ddf3716e03fdd527c456ea80b + SHA1: 7436e16cf348558015593cbf5ab9c117d97738cc + SHA256: a3cf1a6edd205e04653b4338c077072ee753cde0a692490ecaf7afde27df5f0b + Description: ElbyCD Windows NT/2000/XP I/O driver + Company: Elaborate Bytes AG + InternalName: ElbyCDIO + OriginalFilename: ElbyCDIO.sys + FileVersion: 6, 0, 0, 1 + Product: CDRTools + ProductVersion: 6, 0, 0, 0 + Copyright: Copyright (C) 2000 - 2006 Elaborate Bytes AG + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - KeWaitForSingleObject + - RtlFreeUnicodeString + - ZwCreateFile + - RtlAnsiStringToUnicodeString + - RtlInitAnsiString + - ZwCreateKey + - ZwOpenKey + - IoDeleteSymbolicLink + - RtlInitUnicodeString + - IoDeleteDevice + - IofCallDriver + - IoBuildDeviceIoControlRequest + - KeInitializeEvent + - IoFreeMdl + - MmUnlockPages + - KeReleaseMutex + - MmProbeAndLockPages + - IoAllocateMdl + - ExFreePool + - ObfDereferenceObject + - ObReferenceObjectByHandle + - ExAllocatePool + - ZwDeleteKey + - ZwClose + - ZwDeviceIoControlFile + - IoCreateSymbolicLink + - KeInitializeMutex + - IoCreateDevice + - RtlUnwind + - KeTickCount + - MmMapLockedPages + - IofCompleteRequest + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch + ValidFrom: '2006-12-07 11:07:29' + ValidTo: '2008-12-07 11:07:29' + Signature: 312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0100000000010f5c98b8f5 + Version: 3 + TBS: + MD5: 832074a51bea8e4758c8dfeb2e96ad84 + SHA1: 04ba895ed074635a01875a1f25da93e2e2cbbfba + SHA256: c5ba90a16c07cee0cb480ee21c9bedaf3ea4cbe004589b74fb9c2c0bedbc7c1b + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign + Primary Object Publishing CA + ValidFrom: '1999-01-28 12:00:00' + ValidTo: '2014-01-27 11:00:00' + Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9611cd6 + Version: 3 + TBS: + MD5: 698f075151097d84c0b1f3e7bc3d6fca + SHA1: 041750993d7c9e063f02dfe74699598640911aab + SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2008-12-03 23:59:59' + Signature: 877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0de92bf0d4d82988183205095e9a7688 + Version: 3 + TBS: + MD5: 45c204b8a20f6abb0188d2d38a3fb0c9 + SHA1: cdf3a3c5c2eda4c29621f30fd3154f9f8c765739 + SHA256: e32839dddc0f4ed2474efaf37f59d46db400c700fd19533cb0895a111124bc77 + - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + ValidFrom: '2004-01-22 09:00:00' + ValidTo: '2014-01-27 10:00:00' + Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9612448 + Version: 3 + TBS: + MD5: 2fc76031fc24eec1ef3db2d246d21d6a + SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d + SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + Signer: + - SerialNumber: 0100000000010f5c98b8f5 + Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + Version: 1 + RichPEHeaderHash: + MD5: c15e20cb179a835c6a295f891d4f43f6 + SHA1: fb716dec77e711df26bca8c29284c5c21c92a808 + SHA256: 626b9fbb41fcf7bc7185e02b6d4ca83f5070929c4645876c4b19aa50765655e1 + Sections: + .text: + Entropy: 6.0145723403420055 + Virtual Size: '0xe10' + .rdata: + Entropy: 3.950676692337647 + Virtual Size: '0x178' + .data: + Entropy: 1.9182958340544898 + Virtual Size: '0x18' + INIT: + Entropy: 5.282185901600035 + Virtual Size: '0x3a0' + .rsrc: + Entropy: 3.322524044533632 + Virtual Size: '0x4d8' + .reloc: + Entropy: 4.897249100220145 + Virtual Size: '0x134' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2006-12-12 15:48:53' +- Filename: ElbyCDIO.sys + MD5: 0634299fc837b47b531e4762d946b2ae + SHA1: 0a19a9c4c9185b80188da529ec9c9f45cbe73186 + SHA256: f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439 + Authentihash: + MD5: c18c29b48a4e04a3cd761dc733cfda55 + SHA1: f43590d096d3ed0bbcfd2b0e41a327ba365bd9ec + SHA256: 262268f21c789c2bdaf1950b556456a9a5114ed5759d806200b0cec107bf76d7 + Description: ElbyCD Windows NT/2000/XP I/O driver + Company: Elaborate Bytes AG + InternalName: ElbyCDIO + OriginalFilename: ElbyCDIO.sys + FileVersion: 6, 0, 0, 4 + Product: CDRTools + ProductVersion: 6, 0, 0, 0 + Copyright: Copyright (C) 2000 - 2007 Elaborate Bytes AG + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - ZwWriteFile + - ZwClose + - ZwSetInformationFile + - ZwQueryInformationFile + - ZwOpenFile + - RtlInitUnicodeString + - ZwCreateFile + - swprintf + - ZwQueryVolumeInformationFile + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - PsTerminateSystemThread + - ZwQueryInformationProcess + - ZwSetInformationThread + - KeReleaseMutex + - ObfDereferenceObject + - KeWaitForMultipleObjects + - PsCreateSystemThread + - KeWaitForSingleObject + - ObReferenceObjectByHandle + - ZwOpenProcess + - KeSetEvent + - KeInitializeEvent + - PsGetCurrentProcessId + - ZwReadFile + - KeInitializeMutex + - ExAllocatePool + - RtlFreeUnicodeString + - RtlAnsiStringToUnicodeString + - RtlInitAnsiString + - ZwCreateKey + - ZwOpenKey + - IoDeleteSymbolicLink + - IoDeleteDevice + - IofCallDriver + - IoBuildDeviceIoControlRequest + - IoFreeMdl + - MmUnlockPages + - MmMapLockedPages + - MmProbeAndLockPages + - IoAllocateMdl + - _except_handler3 + - ZwDeleteKey + - ZwDeviceIoControlFile + - IoCreateSymbolicLink + - IoCreateDevice + - KeTickCount + - KeBugCheckEx + - KeInitializeSpinLock + - ExFreePool + - IofCompleteRequest + - KfReleaseSpinLock + - KfAcquireSpinLock + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch + ValidFrom: '2006-12-07 11:07:29' + ValidTo: '2008-12-07 11:07:29' + Signature: 312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0100000000010f5c98b8f5 + Version: 3 + TBS: + MD5: 832074a51bea8e4758c8dfeb2e96ad84 + SHA1: 04ba895ed074635a01875a1f25da93e2e2cbbfba + SHA256: c5ba90a16c07cee0cb480ee21c9bedaf3ea4cbe004589b74fb9c2c0bedbc7c1b + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign + Primary Object Publishing CA + ValidFrom: '1999-01-28 12:00:00' + ValidTo: '2014-01-27 11:00:00' + Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9611cd6 + Version: 3 + TBS: + MD5: 698f075151097d84c0b1f3e7bc3d6fca + SHA1: 041750993d7c9e063f02dfe74699598640911aab + SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 + - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + ValidFrom: '2004-01-22 09:00:00' + ValidTo: '2014-01-27 10:00:00' + Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 04000000000108d9612448 + Version: 3 + TBS: + MD5: 2fc76031fc24eec1ef3db2d246d21d6a + SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d + SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + Signer: + - SerialNumber: 0100000000010f5c98b8f5 + Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign + CA + Version: 1 + RichPEHeaderHash: + MD5: 589450fa6c6213445bb9aa901c944d47 + SHA1: de49771e01d34ce6f4663a14eea50c9f509ab899 + SHA256: 9e7a40176c4bb2dc5645359adf4e7252cab1ba935e18e191db2889044dc6c13d + Sections: + .text: + Entropy: 6.3852385935006275 + Virtual Size: '0x2e68' + .rdata: + Entropy: 7.145465057024416 + Virtual Size: '0x5e4' + .data: + Entropy: 2.0 + Virtual Size: '0x4' + INIT: + Entropy: 5.397728657185974 + Virtual Size: '0x5c6' + .rsrc: + Entropy: 3.32214356727726 + Virtual Size: '0x4d8' + .reloc: + Entropy: 5.170233620489706 + Virtual Size: '0x202' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2007-07-20 05:58:51' +Tags: +- ElbyCDIO.sys diff --git a/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml b/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml index 9b1a6f7d6..dd3230d54 100644 --- a/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml +++ b/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 7bb5ff05-25f8-410d-ae99-c8e8f082d24f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml b/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml index 6033a494c..65ef25368 100644 --- a/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml +++ b/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml @@ -23,6 +23,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 7ce8fb06-46eb-4f4f-90d5-5518a6561f15 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/7edb5602-239f-460a-89d6-363ff1059765.yml b/yaml/7edb5602-239f-460a-89d6-363ff1059765.yml index dfdd240bf..24b93849d 100644 --- a/yaml/7edb5602-239f-460a-89d6-363ff1059765.yml +++ b/yaml/7edb5602-239f-460a-89d6-363ff1059765.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: viragt64.sys MD5: 779af226b7b72ff9d78ce1f03d4a3389 diff --git a/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml b/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml index 55f0c228f..51fb68f1f 100644 --- a/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml +++ b/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 7f645b95-4374-47ae-be1a-e4415308b550 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/7f9842a0-8118-462e-8860-227265ff4379.yml b/yaml/7f9842a0-8118-462e-8860-227265ff4379.yml index c1cbc1705..25887baf2 100644 --- a/yaml/7f9842a0-8118-462e-8860-227265ff4379.yml +++ b/yaml/7f9842a0-8118-462e-8860-227265ff4379.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: NTIOLib.sys MD5: 4d99d02f49e027332a0a9c31c674e13b diff --git a/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml b/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml index 5dea9f56f..ccfd4bc41 100644 --- a/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml +++ b/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 81a73e57-2e92-4d21-97d3-1c21eb4c3aea KnownVulnerableSamples: - Authentihash: diff --git a/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml b/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml index 85a00bdb3..f47e6d105 100644 --- a/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml +++ b/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 855ade1f-8a9e-4c9d-ab8e-d7e409609852 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml b/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml index 1c6cf18e5..dc0c96f83 100644 --- a/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml +++ b/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 86cff0de-2536-4b8d-a846-a7312c569597 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml b/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml index 3fe61684a..918fc9619 100644 --- a/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml +++ b/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml @@ -23,6 +23,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 87752fb8-e9f6-4235-91e2-c4343677d817 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml b/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml index 948e14d87..643e7d7ea 100644 --- a/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml +++ b/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 892292f9-b87c-40a5-80e5-8c9b02914e8b KnownVulnerableSamples: - Authentihash: diff --git a/yaml/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025.yml b/yaml/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025.yml index 20d9c5c2f..d07ad75d7 100644 --- a/yaml/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025.yml +++ b/yaml/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025.yml @@ -35,6 +35,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: rtkio64.sys MD5: 7aa34cd9ea5649c24a814e292b270b6f diff --git a/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml b/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml index ba0b88ee1..5a996a0a9 100644 --- a/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml +++ b/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 8ff4ab50-05b7-4bfa-b994-1920c4ed4978 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/90afa27c-0f67-46a6-b4a9-809f55157c71.yml b/yaml/90afa27c-0f67-46a6-b4a9-809f55157c71.yml new file mode 100644 index 000000000..bc829fc1d --- /dev/null +++ b/yaml/90afa27c-0f67-46a6-b4a9-809f55157c71.yml @@ -0,0 +1,819 @@ +Id: 90afa27c-0f67-46a6-b4a9-809f55157c71 +Author: Nasreddine Bencherchali +Created: '2023-05-06' +MitreID: T1068 +Category: vulnerable driver +Verified: 'TRUE' +Commands: + Command: sc.exe create nscm.sys binPath=C:\windows\temp\nscm.sys type=kernel && + sc.exe start nscm.sys + Description: '' + Usecase: Elevate privileges + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- Internal Research +Acknowledgement: + Person: [] + Handle: '' +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +KnownVulnerableSamples: +- Filename: nscm.sys + MD5: ba2c0fa201c74621cddd8638497b3c70 + SHA1: 8f540936f2484d020e270e41529624407b7e107e + SHA256: 28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7 + Authentihash: + MD5: 3a5b83215c9ea17f8d3ad3812c30a340 + SHA1: 533e0690528ff3f0d59edeed9dd53b4f37c0a110 + SHA256: 1622ac0c618a86be17e0f97daa061f9aaa0e721dc0fd30d76bbc5c958e9a9d92 + Description: Novell XTier Session Manager + Company: Novell, Inc. + InternalName: '' + OriginalFilename: nscm.sys + FileVersion: 3.1.6.0 + Product: Novell XTier + ProductVersion: 3.1.6 + Copyright: (C) Copyright 2000-2008, Novell, Inc. All Rights Reserved. + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - nicm.sys + ExportedFunctions: + - DllGetClassObject + - XTCOM_Table + ImportedFunctions: + - IoCreateDevice + - SeUnregisterLogonSessionTerminatedRoutine + - KeInitializeMutex + - IoDeleteDevice + - SeRegisterLogonSessionTerminatedRoutine + - ZwOpenProcessTokenEx + - KeReleaseMutex + - ZwClose + - SeMarkLogonSessionForTerminationNotification + - ZwQueryInformationToken + - ZwOpenThreadTokenEx + - KeBugCheckEx + - KeWaitForSingleObject + - IoGetCurrentProcess + - DbgPrint + - NicmCreateInstance + - NicmDeregisterClassFactory + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft + Software Validation v2, OU=Novell Products Group, CN=Novell, Inc. + ValidFrom: '2007-04-04 00:00:00' + ValidTo: '2010-04-27 23:59:59' + Signature: 267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 4808d93b14b8600dbfa18dab5d15310f + Version: 3 + TBS: + MD5: adddb65a3a360b3c1a55cb33e426f32a + SHA1: 93d9b282265288a94ee4f1a01c5fb3a08badb7ac + SHA256: d98d63f26125a94eb767fdd2526f6c74bfb40cb4d117a1d87ca3ed0d99bd6f0b + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 4808d93b14b8600dbfa18dab5d15310f + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: 4a07178c85358a7450e421019955ccee + SHA1: 0e0b4edfb21b1a41b2f00f341bc1c6de6a650546 + SHA256: dd7717af9d41e7c2d7c773f3e063d396ad8676b3d940732451acc1fc28ec9989 + Sections: + .text: + Entropy: 5.981323117886685 + Virtual Size: '0x4a25' + .rdata: + Entropy: 5.681127753509768 + Virtual Size: '0x480' + .data: + Entropy: 0.8264834692004682 + Virtual Size: '0x548' + .pdata: + Entropy: 4.218145333940637 + Virtual Size: '0x3c0' + .edata: + Entropy: 3.983850316580165 + Virtual Size: '0x63' + INIT: + Entropy: 5.26537545088398 + Virtual Size: '0x360' + .rsrc: + Entropy: 3.289150653685818 + Virtual Size: '0x350' + .reloc: + Entropy: 1.2454265871243133 + Virtual Size: '0x3c' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2009-03-27 11:56:49' +- Filename: nscm.sys + MD5: 4c76554d9a72653c6156ca0024d21a8e + SHA1: 6d3c760251d6e6ea7ff4f4fcac14876fac829cf9 + SHA256: 2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0 + Authentihash: + MD5: b546d6b223a9e1a42f8359dbf9d9737c + SHA1: 41f6704252efa14de0d72eeaf7475886ba7f3bdc + SHA256: 92ca1aec3afc90b44861c2e0be084a3db38d22d52f35e1697643d6477151392f + Description: Novell XTier Session Manager + Company: Novell, Inc. + InternalName: '' + OriginalFilename: nscm.sys + FileVersion: 3.1.11.0 + Product: Novell XTier + ProductVersion: 3.1.11 + Copyright: (C) Copyright 2000-2013, Novell, Inc. All Rights Reserved. + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - nicm.sys + ExportedFunctions: + - DllGetClassObject + - XTCOM_Table + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - KeInitializeMutex + - IoQueueWorkItemEx + - IoDeleteDevice + - IoFreeWorkItem + - RtlEqualUnicodeString + - ZwOpenProcessTokenEx + - IoAllocateWorkItem + - ZwClose + - ZwOpenProcess + - DbgPrint + - PsGetCurrentProcessId + - IoCreateDevice + - ZwQueryInformationToken + - PsSetCreateProcessNotifyRoutine + - SeRegisterLogonSessionTerminatedRoutine + - SeUnregisterLogonSessionTerminatedRoutine + - ZwOpenThreadTokenEx + - IoGetCurrentProcess + - SeMarkLogonSessionForTerminationNotification + - KeBugCheckEx + - KeWaitForSingleObject + - ZwQueryInformationProcess + - KeReleaseMutex + - NicmCreateInstance + - NicmDeregisterClassFactory + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Publisher + ValidFrom: '2022-01-27 19:31:19' + ValidTo: '2023-01-26 19:31:19' + Signature: 941777115fcaf24c60c4a8c891758c491887aa5e9f0902a704191e75dd6f99be3d14a24aa35b1f2a1c1c42dde08da3fa75a73edbf7b5ae0fe94b3716e43b838ff30149e19c51b8b87cc53377ae08bfc0f54c7fafa398db43e839de108493510bc34d0fe998a44fcd0a11b0dc0c7315421dac79ab09ca47f847f9fa88e15d57a564f7b074664409c0ce01c697b2dcfd31676fc908fbc6bb928f82170f0b5a54f52f4327797278b78188b87e37b192b493d00eaf661e30f12b9e67fbd1df9cc5843e6a1c68b45d4f62423450cdc990fab2367d7f57719cb8272f59d4f300284a36d88adfc976cb08c6b0da33d5e988be0e1a3cef2a9669b5227a5b8d027f804908 + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 330000036ce57eeb5d1cc2be1700000000036c + Version: 3 + TBS: + MD5: 7ece739fdaa27d96b67f587db04186a7 + SHA1: b8701efa0ab12b8fea2293c9cff8772ecca084d0 + SHA256: c1392bdcbb0b50215fca8c78f25c2d857e515dce06c87ce86527c88c91d5d7e4 + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Production PCA 2011 + ValidFrom: '2011-10-19 18:41:42' + ValidTo: '2026-10-19 18:51:42' + Signature: 14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: '61077656000000000008' + Version: 3 + TBS: + MD5: 30a3f0b64324ed7f465e7fc618cb69e7 + SHA1: 002de3561519b662c5e3f5faba1b92c403fb7c41 + SHA256: 4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146 + Signer: + - SerialNumber: 330000036ce57eeb5d1cc2be1700000000036c + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Production PCA 2011 + Version: 1 + RichPEHeaderHash: + MD5: 0d646b28e804b652211b8f3e0feac906 + SHA1: 1169ececb349b1d1a50626a2565e85cc6e9049ea + SHA256: 097828b6f5705aca00605777868f774f37fd5ecf705e958c6dbdb860c4934be4 + Sections: + .text: + Entropy: 5.9944111351941185 + Virtual Size: '0x5736' + .rdata: + Entropy: 5.542492779395016 + Virtual Size: '0x570' + .data: + Entropy: 1.445115035315444 + Virtual Size: '0x5a8' + .pdata: + Entropy: 4.268472946152158 + Virtual Size: '0x42c' + .edata: + Entropy: 3.9636482963781448 + Virtual Size: '0x63' + INIT: + Entropy: 5.429528792402954 + Virtual Size: '0x4b6' + .rsrc: + Entropy: 6.472426446171854 + Virtual Size: '0x14a24' + .reloc: + Entropy: 5.039009418592025 + Virtual Size: '0x48' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2013-01-15 23:24:57' +- Filename: nscm.sys + MD5: 5f4a232d92480a1bebbe025ef64dc760 + SHA1: 0cb14c1049c0e81c8655ab7ee7d698c11758ea06 + SHA256: 5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c + Authentihash: + MD5: 5d62cae57be434a4d56924574498c4f2 + SHA1: 1a99d3141d75a3ef1998944b2d107089ce3ef6e4 + SHA256: a363deaf1790e9c0610e07a7203749aab8b60f5ededc944abc0ef3010f5e2105 + Description: XTier Security Context Manager + Company: Micro Focus + InternalName: '' + OriginalFilename: nscm.sys + FileVersion: 3.1.12.0 + Product: Micro Focus XTier + ProductVersion: 3.1.12 + Copyright: (C) Copyright 2000-2017, Micro Focus. All Rights Reserved. + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - nicm.sys + ExportedFunctions: + - DllGetClassObject + - XTCOM_Table + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - KeInitializeMutex + - PsLookupProcessByProcessId + - IoDeleteDevice + - RtlEqualUnicodeString + - ZwOpenProcessTokenEx + - _vsnwprintf + - ZwClose + - ZwOpenProcess + - ZwQueryInformationProcess + - DbgPrint + - IoCreateDevice + - ZwQueryInformationToken + - RtlDeleteRegistryValue + - PsSetCreateProcessNotifyRoutine + - SeRegisterLogonSessionTerminatedRoutine + - SeUnregisterLogonSessionTerminatedRoutine + - ZwOpenThreadTokenEx + - IoGetCurrentProcess + - SeMarkLogonSessionForTerminationNotification + - PsGetCurrentProcessId + - KeBugCheckEx + - KeWaitForSingleObject + - ObfDereferenceObject + - KeReleaseMutex + - NicmCreateInstance + - NicmDeregisterClassFactory + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + ValidFrom: '2021-09-09 19:15:59' + ValidTo: '2022-09-01 19:15:59' + Signature: 1757782e797188079911866d54bd474a2432707984658c549a407e7fb4e5efa2ba72367a02b382d2116d4c4538836ddcd4616fcd231229df1ae5d0da6b3abe499ee5d8b47a7919940f6bbcbe2575018dca65eef4913e3d38410f2cd6cca3082d9ba2c061173cd828635665f76e8f0f685e03da24290b9d2cae7039da974de7b7e85798ba64cbe9ba34e0308c3bd6b4d68e9723fde74274fd3806fe799d04d6a3835f82d4fefc52088ccda4b4c817116f2f5a99445a3e952d78bc27753e65e97c6271c71ac7c9e3439b847e8984ab06a5904d150223f9ca92bbda86c02663c3f4964da5e106619b6eaff2768143cce9e5a8b0b2cba90e82cd87866d9fd6499c6cfbc96529a18b5653d12b54a6c928693a4e3d197ffbfcce7ed71a909b18d09b4345b24bc25eb8dfa1821a9cd0971ffc7d38a26580e2f118c4ac55bf926d0666b72ad7ba6ec20f0b54d694bc3b8a0dbddda27bd64194da085319841d1ebc9dc067ef72ea064a475bea865828b13077bc8e14e2f7544b90f0045f3cd84bcc0d5a80645a6fb65528e4f768ec775bdb0225399f3c81c0b667714676d0949f9ffaddc8549dc45e5ce4345c4ea7dc0aff4ac510f5527ad94a2181edc4b73bcfde813a83d81ca897854c98712346001a12e5d3bf9a45c807f9b3c7d3e0bb99c035ea54ee39e2c9af4147dbea7aabec85b47192b945e083ddf6061afb901e83b11135d24e + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 330000004de597a775e3157f7b00000000004d + Version: 3 + TBS: + MD5: 9f0782e89bd41cdd96ec55357457478a + SHA1: 35c2180572baad19019acca1334e6c653699c389 + SHA256: 50814710213afec410f26e573d25267a2e21d3d15f158be8a43a666c9cc6fa08 + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + ValidFrom: '2014-10-15 20:31:27' + ValidTo: '2029-10-15 20:41:27' + Signature: 96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: 330000000d690d5d7893d076df00000000000d + Version: 3 + TBS: + MD5: 83f69422963f11c3c340b81712eef319 + SHA1: 0c5e5f24590b53bc291e28583acb78e5adc95601 + SHA256: d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae + Signer: + - SerialNumber: 330000004de597a775e3157f7b00000000004d + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + Version: 1 + RichPEHeaderHash: + MD5: 827395be6a60ed22c16a6eeea1843d8a + SHA1: 61171f78fedd9cc13cfa2fad18219d2aaf9ab83f + SHA256: d9b5607af39de0f2fc8d411d18fc86f6a1394c2b512b8876caef597f9c56dcad + Sections: + .text: + Entropy: 6.0164645838764494 + Virtual Size: '0x5a66' + .rdata: + Entropy: 5.545815315316552 + Virtual Size: '0x590' + .data: + Entropy: 1.445115035315444 + Virtual Size: '0x5a8' + .pdata: + Entropy: 4.277709228070346 + Virtual Size: '0x450' + .edata: + Entropy: 3.956023170093665 + Virtual Size: '0x63' + INIT: + Entropy: 5.349379600291399 + Virtual Size: '0x4e0' + .rsrc: + Entropy: 3.2835150258002495 + Virtual Size: '0x360' + .reloc: + Entropy: 1.2355823247516717 + Virtual Size: '0x48' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2022-03-03 03:52:58' +- Filename: nscm.sys + MD5: f56f30ac68c35dd4680054cdfd8f3f00 + SHA1: fce3a95b222c810c56e7ed5a3d7fb059eb693682 + SHA256: 8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c + Authentihash: + MD5: 3050ced748b80cc81892435fd0868bfc + SHA1: 579e23f2b6ce2221ba435abc20801e98ab91a360 + SHA256: 34f36a59ecf6174eeac15994e54c41fe1e3e3b1eee8ed4c399ec8c63212373d7 + Description: Novell XTier Session Manager + Company: Novell, Inc. + InternalName: '' + OriginalFilename: nscm.sys + FileVersion: 3.1.6.0 + Product: Novell XTier + ProductVersion: 3.1.6 + Copyright: (C) Copyright 2000-2011, Novell, Inc. All Rights Reserved. + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - nicm.sys + ExportedFunctions: + - DllGetClassObject + - XTCOM_Table + ImportedFunctions: + - IoCreateDevice + - SeUnregisterLogonSessionTerminatedRoutine + - KeInitializeMutex + - IoDeleteDevice + - SeRegisterLogonSessionTerminatedRoutine + - SeMarkLogonSessionForTerminationNotification + - KeReleaseMutex + - ZwOpenThreadTokenEx + - ZwOpenProcessTokenEx + - IoGetCurrentProcess + - ZwClose + - KeBugCheckEx + - KeWaitForSingleObject + - ZwQueryInformationToken + - DbgPrint + - NicmCreateInstance + - NicmDeregisterClassFactory + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 + CA + ValidFrom: '2009-05-21 00:00:00' + ValidTo: '2019-05-20 23:59:59' + Signature: 8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 655226e1b22e18e1590f2985ac22e75c + Version: 3 + TBS: + MD5: 650704c342850095f3288eaf791147d4 + SHA1: 4cdc38c800761463749c3cbd94a12f32e49877bf + SHA256: 07b8f662558ec85b71b43a79c6e94698144f4ced2308af21e7ba1e5d461da214 + - Subject: C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft + Software Validation v2, OU=Novell Products Group, CN=Novell, Inc. + ValidFrom: '2010-04-03 00:00:00' + ValidTo: '2013-04-26 23:59:59' + Signature: 2d2eec4636a0c1f359ef30a107e6c2301ad12c09ab9fdac02211aaef81323d1daee3a14a150bf9f4c7d0d788d5f486ea75e40abeb502a2267171be53030fe7614af7a2015eabd4c26e887ec9220beb3666fc68158d2b8dd659e3fe55245821c10e37ddeebac63eb1848512c64a543a13ba6735b156c6dc13395890e8003e03e7c2613e2c1de1dfadfe072cd7655e3b4166fe973233b4f81ecf810541382d67c92f29d76e220543a7179b606011b932cee250f99f260b29e79236cec10b67e0e0e48cb74593a7ce2e3cfafb6c58ac7ae5c10a591037c380b5f7516cac8f4ec695b020ca2445cb9bf97eb56c09d4a62618871b482ef97c5894349e10f62e2ee68b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 41ec87c0295f2c734169b8a23c66ac9a + Version: 3 + TBS: + MD5: b1504f143b89a6080710bafcededb833 + SHA1: 5c2696893ebba1e81d918a4fadda143c25c77286 + SHA256: ae1dc09d08e93ace95fe203adfbfadcd4c029529d3f99ab381c368064b58d9a0 + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 41ec87c0295f2c734169b8a23c66ac9a + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 + CA + Version: 1 + RichPEHeaderHash: + MD5: 4a07178c85358a7450e421019955ccee + SHA1: 0e0b4edfb21b1a41b2f00f341bc1c6de6a650546 + SHA256: dd7717af9d41e7c2d7c773f3e063d396ad8676b3d940732451acc1fc28ec9989 + Sections: + .text: + Entropy: 5.98589698052852 + Virtual Size: '0x4c15' + .rdata: + Entropy: 5.645994240527473 + Virtual Size: '0x4b8' + .data: + Entropy: 0.8264834692004682 + Virtual Size: '0x568' + .pdata: + Entropy: 4.238276468304064 + Virtual Size: '0x3d8' + .edata: + Entropy: 3.956023170093665 + Virtual Size: '0x63' + INIT: + Entropy: 5.259964214601351 + Virtual Size: '0x360' + .rsrc: + Entropy: 3.287931080812757 + Virtual Size: '0x350' + .reloc: + Entropy: 1.2454265871243133 + Virtual Size: '0x3c' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2011-04-01 19:18:14' +- Filename: nscm.sys + MD5: a1547e8b2ca0516d0d9191a55b8536c0 + SHA1: 7cd4aea9c1f82111bf7f9d4934be95e9bb6f8ae0 + SHA256: ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2 + Authentihash: + MD5: 7e245f8b1d1bddfd217d1cd060b91657 + SHA1: 8c89db8dd4d7947cb5eb13c7a12907564576cb91 + SHA256: 00dfeab446afecac7b44b0b1680d5ca7d421eda243e16db8c08706bb593a8391 + Description: Novell XTier Session Manager + Company: Novell, Inc. + InternalName: '' + OriginalFilename: nscm.sys + FileVersion: 3.1.6.0 + Product: Novell XTier + ProductVersion: 3.1.6 + Copyright: (C) Copyright 2000-2008, Novell, Inc. All Rights Reserved. + MachineType: I386 + Imports: + - ntoskrnl.exe + - nicm.sys + ExportedFunctions: + - DllGetClassObject + - XTCOM_Table + ImportedFunctions: + - IoDeleteDevice + - SeUnregisterLogonSessionTerminatedRoutine + - SeRegisterLogonSessionTerminatedRoutine + - KeInitializeMutex + - IoCreateDevice + - ZwClose + - KeWaitForSingleObject + - ZwOpenProcessTokenEx + - ZwOpenThreadTokenEx + - IoGetCurrentProcess + - SeMarkLogonSessionForTerminationNotification + - KeTickCount + - DbgPrint + - ZwQueryInformationToken + - KeReleaseMutex + - NicmCreateInstance + - NicmDeregisterClassFactory + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , + G2 + ValidFrom: '2007-06-15 00:00:00' + ValidTo: '2012-06-14 23:59:59' + Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 + Version: 3 + TBS: + MD5: d6c7684e9aaa508cf268335f83afe040 + SHA1: 18066d20ad92409c567cdfde745279ff71c75226 + SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff + - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA + ValidFrom: '2003-12-04 00:00:00' + ValidTo: '2013-12-03 23:59:59' + Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47bf1995df8d524643f7db6d480d31a4 + Version: 3 + TBS: + MD5: 518d2ea8a21e879c942d504824ac211c + SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 + SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + ValidFrom: '2004-07-16 00:00:00' + ValidTo: '2014-07-15 23:59:59' + Signature: ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 4191a15a3978dfcf496566381d4c75c2 + Version: 3 + TBS: + MD5: 41011f8d0e7c7a6408334ca387914c61 + SHA1: c7fc1727f5b75a6421a1f95c73bbdb23580c48e5 + SHA256: 88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0 + - Subject: C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft + Software Validation v2, OU=Novell Products Group, CN=Novell, Inc. + ValidFrom: '2007-04-04 00:00:00' + ValidTo: '2010-04-27 23:59:59' + Signature: 267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 4808d93b14b8600dbfa18dab5d15310f + Version: 3 + TBS: + MD5: adddb65a3a360b3c1a55cb33e426f32a + SHA1: 93d9b282265288a94ee4f1a01c5fb3a08badb7ac + SHA256: d98d63f26125a94eb767fdd2526f6c74bfb40cb4d117a1d87ca3ed0d99bd6f0b + - Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority + ValidFrom: '2006-05-23 17:01:29' + ValidTo: '2016-05-23 17:11:29' + Signature: 01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 610c120600000000001b + Version: 3 + TBS: + MD5: 53c41bc1164e09e0cd1617a5bf913efd + SHA1: 93c03aac8951d494ecd5696b1c08658541b18727 + SHA256: 40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b + Signer: + - SerialNumber: 4808d93b14b8600dbfa18dab5d15310f + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 + CA + Version: 1 + RichPEHeaderHash: + MD5: e92edbb3d49ed0e7c3de680c901221a8 + SHA1: 17f6d8284edd12372405ea1e0edb59249d6d2a02 + SHA256: 94fef4d39e3ffb29a749b7b8511c7ce76b9f824cb724eeef2529476a7b9af465 + Sections: + .text: + Entropy: 6.133436661587974 + Virtual Size: '0x337b' + .rdata: + Entropy: 5.95443123338063 + Virtual Size: '0x2cc' + .data: + Entropy: 0.6992933847552781 + Virtual Size: '0x294' + .edata: + Entropy: 3.88787733918592 + Virtual Size: '0x63' + INIT: + Entropy: 5.407607088870612 + Virtual Size: '0x2d6' + .rsrc: + Entropy: 3.289150653685818 + Virtual Size: '0x350' + .reloc: + Entropy: 6.220983522762253 + Virtual Size: '0x4f2' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2009-03-27 11:52:17' +- Filename: nscm.sys + MD5: bd5d4d07ae09e9f418d6b4ac6d9f2ed5 + SHA1: d61acd857242185a56e101642d15b9b5f0558c26 + SHA256: fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f + Authentihash: + MD5: 32265ccdfe3d7f66269cbee0d5555e5b + SHA1: 72e5f5f6f266410d827fef10dc82c7ec8541e036 + SHA256: 253ed7f5c7115e957dfdb1f5c6c51592b491a70b27787903c8fd848e45b9cf22 + Description: Novell XTier Session Manager + Company: Novell, Inc. + InternalName: '' + OriginalFilename: nscm.sys + FileVersion: 3.1.11.0 + Product: Novell XTier + ProductVersion: 3.1.11 + Copyright: (C) Copyright 2000-2013, Novell, Inc. All Rights Reserved. + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - nicm.sys + ExportedFunctions: + - DllGetClassObject + - XTCOM_Table + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - KeInitializeMutex + - IoQueueWorkItemEx + - IoDeleteDevice + - IoFreeWorkItem + - RtlEqualUnicodeString + - ZwOpenProcessTokenEx + - IoAllocateWorkItem + - ZwClose + - ZwOpenProcess + - DbgPrint + - PsGetCurrentProcessId + - IoCreateDevice + - ZwQueryInformationToken + - PsSetCreateProcessNotifyRoutine + - SeRegisterLogonSessionTerminatedRoutine + - SeUnregisterLogonSessionTerminatedRoutine + - ZwOpenThreadTokenEx + - IoGetCurrentProcess + - SeMarkLogonSessionForTerminationNotification + - KeBugCheckEx + - KeWaitForSingleObject + - ZwQueryInformationProcess + - KeReleaseMutex + - NicmCreateInstance + - NicmDeregisterClassFactory + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Corporation + ValidFrom: '2021-09-02 18:32:59' + ValidTo: '2022-09-01 18:32:59' + Signature: 164937b92c644c4061d4db4097b062bc812c0167605f5a99f847593186d029ab18e888522d744cc45d41dce29d47d2bf91c72992f35c1a5f03ed8c984b89a109430147e54bae0ddff0f523dfc03d5796a2636fc9a24ed66453809a33d134d1a7c9e83b974953893845a84fb668eb3afa179e82a01d7a51a03492911cb591ba118ab8b230e65920c7d2b2f90bd9ae7fc3762f2e4c88162a9f8c186f3163a3c1bef8e0b7d8d04a19673eb677518f01bf0cbaaf29e15c1695d15d134cbd20131ede87f2b5a3c3226abbbab3fec5caa38b7944b8bd31e1f538012f90edc4262ead76d2055b4bd458f8e3e39dffa7260bd9a6bebb62c86ef4f58dd177761d263d9fdc626aed8eca756ab441885ab4a8417a0e1fc63860d32badda0e9a3359b18cd3eb138f33e87582346bbd80c2b966e765751c386b8e59d3a02892da1fd02a8ec9312bbead188e81385e96b4fbced3fcf5545cda9fed8faa494efef4bb4b42e318478c377123e3b8dbacbcb7fd8019dc87946a33b91a0ed6160e02f2078d847ecc5e32ac0a5b003e4d58b41eb591a9f4b1da895b139ea125c1243233922b3dec46eba91425f752ba3261fe762feda2553add6bc5d67ac3c6eb63279f74fc02e2dfcde245b806df392111c7b20564ef7650fa17135b848cbe6c925d724d907732e6e0380e05f0aa11361be21401124fe9c6f1cf2e22c6d979bd3c49e61032a8d51269 + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 33000002528b33aaf895f339db000000000252 + Version: 3 + TBS: + MD5: 92b6022918bc02eb361b8a02fb1da57d + SHA1: 8ceb945fac0f6d623d464e21740ae6eb60351652 + SHA256: c1446860a1cd9db490d3ea85e9df05df44af8d44e2bb803a2a2018f3b6c41bcb + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Code Signing PCA 2011 + ValidFrom: '2011-07-08 20:59:09' + ValidTo: '2026-07-08 21:09:09' + Signature: 67f286a598e054791a2ed3d87467229b0b9611e163929942967dd2790c90c1655f2e2c3ef8c372d16d83febe3fe80aca3bbf47a9a3f369db63bf2235a5975d6584907d8b465055d80c927cd21a4b1cf33c428b52d0b0fd6be33e072e299be63d1ba5d4b51d779439e2e964c9443d787a23f3137da69074838df4cb2602462ac28a10bba4a9050c9bed68fa682e95a02a3f2a6b5849631f09696e5a9896e483f4c08ff3462bdefc3bd0bd35ef6e25aee5af27edd0ddf30eaf992897984d0e3d0bf20889d61fc33218e2f0c52dce5b9eb449390ac60ac2c6adaee5b2d9db1588514558383271271a7fb1f427f8de2c3a206998b25989686e6fa7b774c3400506a6012a283e823f134d660bc0b34df5e18f7f1c6f157d45a776e5402a65a3c35d526286c31d63369786dfdaf3f8f216a19a27e1cda597d0ee5d6341e35b079c873e067706d106b1751f14be6161b5f0dcc61b04bedf41c70e28eede652fec97f6a15c96d800d6a146bd59f397a5094b481099801fd00029c5b19ba53f45771e35c6d2a2a29f7a7a22fa48951fabfb472380f59ef8bf6bb74b97e2eb75781aecea379979184bffd6b3236875e6affafc8beb0b80ea693baffc30ed044c8edfdf756d63913dd19d564e4fbf805722a1781132217aef410ab13ffba8cca45dc1a1889b5771564e4845c042c99b765b0a80486bfd799fc1bd6d6d6ac95273130d7a50cd + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: 610e90d2000000000003 + Version: 3 + TBS: + MD5: b4ec95434f1d45b8055077cf90540a5f + SHA1: 71f74db41d045d6eaf81a849bbb3e21544edcff4 + SHA256: f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e + Signer: + - SerialNumber: 33000002528b33aaf895f339db000000000252 + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Code Signing PCA 2011 + Version: 1 + RichPEHeaderHash: + MD5: 0d646b28e804b652211b8f3e0feac906 + SHA1: 1169ececb349b1d1a50626a2565e85cc6e9049ea + SHA256: 097828b6f5705aca00605777868f774f37fd5ecf705e958c6dbdb860c4934be4 + Sections: + .text: + Entropy: 5.9944111351941185 + Virtual Size: '0x5736' + .rdata: + Entropy: 5.542492779395016 + Virtual Size: '0x570' + .data: + Entropy: 1.445115035315444 + Virtual Size: '0x5a8' + .pdata: + Entropy: 4.268472946152158 + Virtual Size: '0x42c' + .edata: + Entropy: 3.9636482963781448 + Virtual Size: '0x63' + INIT: + Entropy: 5.324738401510091 + Virtual Size: '0x4b6' + .rsrc: + Entropy: 3.275995301680775 + Virtual Size: '0x358' + .reloc: + Entropy: 1.2355823247516717 + Virtual Size: '0x48' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2013-01-15 23:24:57' +Tags: +- nscm.sys diff --git a/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml b/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml index 49e0749fd..9b4628fef 100644 --- a/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml +++ b/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml b/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml index 4900eaa50..ead163266 100644 --- a/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml +++ b/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml @@ -15,7 +15,17 @@ Commands: Privileges: kernel Usecase: Elevate privileges Created: '2023-06-05' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 93740202-930c-4ab4-8603-8ec9532c5415 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml b/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml index b5d004364..37260a724 100644 --- a/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml +++ b/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 93c84c08-4683-493d-abf7-22dc2d1cb567 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/97fa88f6-3819-4d56-a82c-52a492a9e2b5.yaml b/yaml/97fa88f6-3819-4d56-a82c-52a492a9e2b5.yaml index 3ed54d498..0087d4339 100644 --- a/yaml/97fa88f6-3819-4d56-a82c-52a492a9e2b5.yaml +++ b/yaml/97fa88f6-3819-4d56-a82c-52a492a9e2b5.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 97fa88f6-3819-4d56-a82c-52a492a9e2b5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/998ed67c-9c20-46ef-a6ba-abc606b540b9.yaml b/yaml/998ed67c-9c20-46ef-a6ba-abc606b540b9.yaml index 38010ee91..a24c4cae5 100644 --- a/yaml/998ed67c-9c20-46ef-a6ba-abc606b540b9.yaml +++ b/yaml/998ed67c-9c20-46ef-a6ba-abc606b540b9.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 998ed67c-9c20-46ef-a6ba-abc606b540b9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml b/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml index 84fb223a2..55a3a6d3f 100644 --- a/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml +++ b/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 999a11ae-ec2b-4863-baa4-1384ec2b7339 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml b/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml index 46bc0a534..3d3355d95 100644 --- a/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml +++ b/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 9a4fb66e-9084-4b21-9d76-a7afbe330606 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml b/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml index 6ca3004e3..349412288 100644 --- a/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml +++ b/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 9c3c6e89-3916-498f-81e5-da057ab3ed42 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/9ca73d04-3349-4c16-9384-94c43335a031.yaml b/yaml/9ca73d04-3349-4c16-9384-94c43335a031.yaml index 8fe8d6a40..f9bb04e2b 100644 --- a/yaml/9ca73d04-3349-4c16-9384-94c43335a031.yaml +++ b/yaml/9ca73d04-3349-4c16-9384-94c43335a031.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 9ca73d04-3349-4c16-9384-94c43335a031 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml b/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml index 528e75915..7843d1f7e 100644 --- a/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml +++ b/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 9e87b6b0-00ed-4259-bcd7-05e2c924d58c KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a02ee964-a21e-4b08-9c98-a730c90bfd53.yml b/yaml/a02ee964-a21e-4b08-9c98-a730c90bfd53.yml index fac8f8641..b04956386 100644 --- a/yaml/a02ee964-a21e-4b08-9c98-a730c90bfd53.yml +++ b/yaml/a02ee964-a21e-4b08-9c98-a730c90bfd53.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: Michael Alfaro Handle: '@_mmpte_software' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: LMIinfo.sys MD5: d4f7c14e92b36c341c41ae93159407dd diff --git a/yaml/a0fbd397-64d5-4af2-844b-b096e08a1866.yml b/yaml/a0fbd397-64d5-4af2-844b-b096e08a1866.yml index 4c708c2e3..bc4c3cd2a 100644 --- a/yaml/a0fbd397-64d5-4af2-844b-b096e08a1866.yml +++ b/yaml/a0fbd397-64d5-4af2-844b-b096e08a1866.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: libnicm.sys MD5: 7a6a6d6921cd1a4e1d61f9672a4560d6 diff --git a/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml b/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml index f3599345e..89519449d 100644 --- a/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml +++ b/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a22104a8-126d-449f-ba3e-28678c60c587 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml b/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml index a02b37bdf..acca189ff 100644 --- a/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml +++ b/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a261cd64-0d04-4bf5-ad73-f3bb96bf83cf KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml b/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml index 94e04868b..fee598cf9 100644 --- a/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml +++ b/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a285591e-ad3c-46a3-a648-c58589ff5efc KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml b/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml index 0ffc9ec23..31093e625 100644 --- a/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml +++ b/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a33de377-d2c2-4c71-98ca-cd0be8d284f9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml b/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml index cd6270c4d..1386e441f 100644 --- a/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml +++ b/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml b/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml index 6cdd91610..9f43d1872 100644 --- a/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml +++ b/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a5ebba11-5a31-48d2-9c6d-78bba397edf1 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml b/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml index 93ec12eb1..b6cadf35d 100644 --- a/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml +++ b/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml b/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml index 77280adfa..1eaaa369f 100644 --- a/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml +++ b/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: SANDRA MD5: c842827d4704a5ef53a809463254e1cc diff --git a/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml b/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml index 6b833d7b4..3ce9c9b9c 100644 --- a/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml +++ b/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a7775cbe-624b-4b04-b74f-969f77c2ac02 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml b/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml index 4292ecaae..6664bfbe8 100644 --- a/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml +++ b/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml @@ -104,6 +104,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a7bba474-815f-49be-bddc-4d76a64c866c KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml b/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml index 2b8ee90f5..c399861a3 100644 --- a/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml +++ b/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a845a05c-5357-4b78-9783-16b4d34b2cb0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a8e999ee-746f-4788-9102-c1d3d2914f56.yaml b/yaml/a8e999ee-746f-4788-9102-c1d3d2914f56.yaml index 582ffc71d..1e4dbd8ef 100644 --- a/yaml/a8e999ee-746f-4788-9102-c1d3d2914f56.yaml +++ b/yaml/a8e999ee-746f-4788-9102-c1d3d2914f56.yaml @@ -11,7 +11,17 @@ Commands: Privileges: kernel Usecase: Elevate privileges Created: '2023-01-09' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a8e999ee-746f-4788-9102-c1d3d2914f56 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a9d9cbb7-b5f6-4e74-97a5-29993263280e.yml b/yaml/a9d9cbb7-b5f6-4e74-97a5-29993263280e.yml index 7ab549886..1219f11b2 100644 --- a/yaml/a9d9cbb7-b5f6-4e74-97a5-29993263280e.yml +++ b/yaml/a9d9cbb7-b5f6-4e74-97a5-29993263280e.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: CorsairLLAccess64.sys MD5: b34361d151c793415ef92ee5d368c053 diff --git a/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml b/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml index 8d805d29a..6b53aecd3 100644 --- a/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml +++ b/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: aa687f89-4f3b-4b59-b64e-fee5e2ae2310 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml b/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml index 900abf2f1..506d347c5 100644 --- a/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml +++ b/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ad21819d-3080-4fe2-89b1-74385031fb4d KnownVulnerableSamples: - Authentihash: diff --git a/yaml/b03798af-d25a-400b-9236-4643a802846f.yml b/yaml/b03798af-d25a-400b-9236-4643a802846f.yml index 1d4298d1d..a903b9898 100644 --- a/yaml/b03798af-d25a-400b-9236-4643a802846f.yml +++ b/yaml/b03798af-d25a-400b-9236-4643a802846f.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: RwDrv.sys MD5: f853abe0dc162601e66e4a346faed854 diff --git a/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml b/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml index b09cf8df4..840bf44b1 100644 --- a/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml +++ b/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml b/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml index fc0260df7..e4c187165 100644 --- a/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml +++ b/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: b72f7335-6f27-42c5-85f5-ed7eb9016eac KnownVulnerableSamples: - Authentihash: diff --git a/yaml/babe348d-f160-41ec-9db9-2413b989c1f0.yaml b/yaml/babe348d-f160-41ec-9db9-2413b989c1f0.yaml index 3b44c53d0..ee14103f9 100644 --- a/yaml/babe348d-f160-41ec-9db9-2413b989c1f0.yaml +++ b/yaml/babe348d-f160-41ec-9db9-2413b989c1f0.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: babe348d-f160-41ec-9db9-2413b989c1f0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml b/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml index 6afa64e9e..76c17b73c 100644 --- a/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml +++ b/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: bb808089-5857-4df2-8998-753a7106cb44 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml b/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml index 3a310c837..45bedca22 100644 --- a/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml +++ b/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: bc5e020a-ecff-43c8-b57b-ee17b5f65b21 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml b/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml index 888eb943e..c0615adb0 100644 --- a/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml +++ b/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc KnownVulnerableSamples: - Authentihash: diff --git a/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml b/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml index 7f6de4d4d..de5ca13c4 100644 --- a/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml +++ b/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: bf01915d-045f-442c-a74e-25c56182123f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml b/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml index 945c85098..6ff5fe466 100644 --- a/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml +++ b/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: c3cca618-5a7f-4a51-8785-cb328fbfb0df KnownVulnerableSamples: - Authentihash: diff --git a/yaml/c98af16e-197f-4e66-bf94-14646bde32dd.yml b/yaml/c98af16e-197f-4e66-bf94-14646bde32dd.yml index c197b8f34..881767f5b 100644 --- a/yaml/c98af16e-197f-4e66-bf94-14646bde32dd.yml +++ b/yaml/c98af16e-197f-4e66-bf94-14646bde32dd.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: CupFixerx64.sys MD5: 2b3e0db4f00d4b3d0b4d178234b02e72 diff --git a/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml b/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml index 5e65eb28e..816c93b2e 100644 --- a/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml +++ b/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ca1e8664-841f-4e4b-9e67-3f515cc249c6 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml b/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml index 664c69cfc..8c1da9a9d 100644 --- a/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml +++ b/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ca415ed5-b611-4840-bfb2-6e1eacac33d1 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml b/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml index 77c68be3c..723266846 100644 --- a/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml +++ b/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ca768fc5-9b5c-4ced-90ab-fd6be9a70199 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml b/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml index eb3c97005..5db555829 100644 --- a/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml +++ b/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: cf49f43c-d7b4-4c1a-a40d-1be36ea64bff KnownVulnerableSamples: - Authentihash: diff --git a/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml b/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml index 38d22583d..84bbd646f 100644 --- a/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml +++ b/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: cfdc5cb4-be5c-4dcc-a883-825fa72115b4 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml b/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml index e1fb53fd4..4e488448c 100644 --- a/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml +++ b/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: d0048840-970f-4ad5-9a07-1d39469d721f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml b/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml index 1b0e68076..5a82ed9a2 100644 --- a/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml +++ b/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: d2806397-9ceb-47c8-b5f3-3aabec182ff5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/d35cb48d-2aca-4d7d-a194-f4566183bcd9.yml b/yaml/d35cb48d-2aca-4d7d-a194-f4566183bcd9.yml index 7a794dd0f..ce85ed944 100644 --- a/yaml/d35cb48d-2aca-4d7d-a194-f4566183bcd9.yml +++ b/yaml/d35cb48d-2aca-4d7d-a194-f4566183bcd9.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: TmComm.sys MD5: 34686a4b10f239d781772e9e94486c1a diff --git a/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml b/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml index 7b11f0afc..c4dc22237 100644 --- a/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml +++ b/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: d819bee2-3bff-481f-a301-acc3d1f5fe58 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml b/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml index d5ade8371..8c2b12086 100644 --- a/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml +++ b/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: d9e00cc7-a8f4-4390-a6dc-0f5423e97da4 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml b/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml index 871672759..0e48cd611 100644 --- a/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml +++ b/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: d9f2c3d6-160c-4eb3-8547-894fcf810342 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/da7314dc-6cf1-4d74-a0d1-796fc08944f8.yaml b/yaml/da7314dc-6cf1-4d74-a0d1-796fc08944f8.yaml new file mode 100644 index 000000000..9bd4768a0 --- /dev/null +++ b/yaml/da7314dc-6cf1-4d74-a0d1-796fc08944f8.yaml @@ -0,0 +1,3256 @@ +Id: da7314dc-6cf1-4d74-a0d1-796fc08944f8 +Author: Michael Haag +Created: '2023-05-20' +MitreID: T1068 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create windbg.sys binPath=C:\windows\temp\windbg.sys type=kernel + && sc.exe start windbg.sys + Description: "These samples are related to CopperStealth campaign found by TrendMicro.\ + \ CopperStealth\u2019s infection chain involves dropping and loading a rootkit,\ + \ which later injects its payload into explorer.exe and another system process.\ + \ These payloads are responsible for downloading and running additional tasks.\ + \ The rootkit also blocks access to blocklisted registry keys and prevents certain\ + \ executables and drivers from running." + Usecase: Elevate privileges + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html +Acknowledgement: + Person: '' + Handle: '' +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5.yara +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280.yara +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +KnownVulnerableSamples: +- Filename: windbg.sys + MD5: 40f35792e7565aa047796758a3ce1b77 + SHA1: 6df35a0c2f6d7d39d24277137ea840078dafb812 + SHA256: 139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988 + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: AMD64 + OriginalFilename: windbg.sys + Authentihash: + MD5: 3a2404b8c4c87facf5316e4ff16bd603 + SHA1: ff3d240cf0faeafb37f176b71151dd83b2177a0e + SHA256: e307ebe2d43cc8e290e5ade032a6e38bc6961439f92d6e99b954bf1368a975ef + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - PsProcessType + - IoGetLowerDeviceObject + - ExFreePoolWithTag + - IoRegisterShutdownNotification + - IoAttachDeviceToDeviceStackSafe + - PsLookupProcessByProcessId + - RtlInitUnicodeString + - IoDeleteDevice + - MmGetSystemRoutineAddress + - IoDetachDevice + - KeDelayExecutionThread + - IoUnregisterShutdownNotification + - ZwClose + - IoGetAttachedDeviceReference + - PsGetCurrentProcessId + - ObfDereferenceObject + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoUnregisterFsRegistrationChange + - ObOpenObjectByPointer + - IoRegisterFsRegistrationChange + - IofCallDriver + - MmUnmapLockedPages + - _wcsicmp + - PsGetProcessPeb + - ZwCreateKey + - RtlCreateUnicodeString + - MmMapLockedPages + - PsSetLoadImageNotifyRoutine + - _wcsnicmp + - ZwReadFile + - IoCreateFile + - ZwDeleteValueKey + - ZwSetValueKey + - RtlEqualUnicodeString + - MmBuildMdlForNonPagedPool + - IoFreeMdl + - RtlFreeUnicodeString + - ObQueryNameString + - ZwQueryValueKey + - _vsnwprintf + - RtlRandom + - PsRemoveLoadImageNotifyRoutine + - ZwFlushKey + - MmCreateMdl + - ZwDeleteFile + - PsGetVersion + - CmRegisterCallback + - RtlCopyUnicodeString + - MmIsAddressValid + - CmUnRegisterCallback + - ZwQueryInformationFile + - ZwWriteFile + - ZwDeleteKey + - ZwEnumerateKey + - ZwAllocateVirtualMemory + - ZwOpenKey + - KeUnstackDetachProcess + - ZwWaitForSingleObject + - ZwFreeVirtualMemory + - PsGetProcessSessionId + - ZwDuplicateObject + - ObReferenceObjectByName + - KeStackAttachProcess + - RtlSubAuthoritySid + - _strnicmp + - KeSetEvent + - KeInitializeEvent + - ZwOpenProcessTokenEx + - PsCreateSystemThread + - PsTerminateSystemThread + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - KeBugCheckEx + - strncmp + - strstr + - strchr + - strncpy + - _vsnprintf + - rand + - _stricmp + - ExAllocatePool + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - ZwCreateFile + - IoFreeIrp + - MmProbeAndLockPages + - IoAllocateMdl + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Luyoudashi Technology Co., + Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Shenzhen + Luyoudashi Technology Co., Ltd. + ValidFrom: '2014-05-06 00:00:00' + ValidTo: '2015-05-06 23:59:59' + Signature: 14a41c7ad5dc6309c5b0390f4dbdec058fab41138c90e8a92e5316495d46210a64a3573a304cb2d791c50f3815a2b7ed11057018158311d061080686a2bd6a0a3c9097161b98e46ab15267b3bbdbd76d43d1bc9a239a24e98a6673e1b1c6ca83230ce3862e0d422f113bb3b5fb2b9254346f40c810f6e0bbc7f137f22d0d272a150eac91baf8513472d277290dfc55c7d2b22003c0fccad9a29fbceeba1586efae4bd98de245bda466f7eca00673d4418f90609b9a6c5cbf1a25a3373f2744a3974cd0ba89f9d1b23a02058dd151c0fda03ffca6a40a6d91c7678b675996b5c0c63f491428684be2367b5a60048f3543b5ddf6ba5270bbe376f5e2b62b14fe6a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 5f9e06262d2eed425c886a4709350426 + Version: 3 + TBS: + MD5: e01323d4e9f20b9c042abdd9585d2d81 + SHA1: d1fab71f563191354037fe0bb8bf73718c721e45 + SHA256: 9db6a214ff40e20a9785ef23e93d98de1c0f3b018703c86e6c7cd0d4ade37a14 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + - Subject: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo + RSA Time Stamping CA + ValidFrom: '2019-05-02 00:00:00' + ValidTo: '2038-01-18 23:59:59' + Signature: 6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98 + SignatureAlgorithmOID: 1.2.840.113549.1.1.12 + IsCertificateAuthority: true + SerialNumber: 300f6facdd6698747ca94636a7782db9 + Version: 3 + TBS: + MD5: 63499ed59a1293b786649470e4ce0bd7 + SHA1: 7309d8eaa65da1f3da7030c08f00a3b0a20fa908 + SHA256: 8c8d2046b29e792e71b28705fe67c435208a336dde074a75452d98e72c734937 + - Subject: 'C=GB, ST=Manchester, O=Sectigo Limited, CN=Sectigo RSA Time Stamping + Signer #3' + ValidFrom: '2022-05-11 00:00:00' + ValidTo: '2033-08-10 23:59:59' + Signature: 73daed6872cbc2b940a131bbb403a32d147b24e7b45b157da8e9fdadd1920d7c3d36a069d9f39a30daac69d67457243f7e0f3cd9f5c379256c26e88d6893cef17789397fa80405da34c314ea9f0854abffc47e966c2bd394ebb46ce0454d2cb2f73b3b5ab5c1fbd789756d987272f6f70728f3d3b2d0eb19be152c78efcd45a000e4f80476bb57c590be775490749e0b4f4dc4aa138f97af01352bcb9b1178e9f2f989043c4ee3821262ebb4440c7541c20f34b8889dc822f1136adb182f6e78adc405b4e884089307f97d83fe689834e477e5b1ce8c946cdb036d2805477e9b2ef064fbdba40331107c1afb3c1980d10b70b9555f47be3964ceb7da235432e346b232d8d22986c9155d8095af02fbb4d12e9d387c35e00f1ced1b47489c226a5582d9f2ba086503e5f129f3488a09014ca679f2a2b61a9994eb9728e1be7d1ba17ced5680a6f4223390e48453fc2afac0a797a8eab58d7acee4e04ba133ab0b76a0d56916b78e66bf5ffa1fc4a87fa7a14814910d82fcbd4d99edc9e66c36fe774399b8692d7c612feda3b049fe5bbe692491ff93fc5769924bd9053f6d8672d3a2d0c064d23a42c11a03fbd0ed9a21b83fafa6b25154d54cc5ca1f128d57c639ed5cffec9f2676ad646667e8aa30e0d2adb77db16a41276e038aa374e08a09826ebfe3f6b7bc9e0b29186881a19c3f6e16594b1409099ae6aebf6015dd86f5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.12 + IsCertificateAuthority: false + SerialNumber: 0090397f9ad24a3a13f2bd915f0838a943 + Version: 3 + TBS: + MD5: 26ec2c9bfcb06fdf8a6d95f2c616fd72 + SHA1: 635466f1432046f6fd338624c068872ab6488b12 + SHA256: 2219bd6adf84dc8f6f04833974d150f75f5ce79cbf85788a6f7efaa4a5205839 + Signer: + - SerialNumber: 5f9e06262d2eed425c886a4709350426 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: 57462998048f7ee977ca73cacd0a8a2a + SHA1: f1a4626b2b16389bf879d451c63ff53bca825d23 + SHA256: 9e96e39a30076c985ce6aa3547b8279c8f471122a0b25bebde5a189d9795d427 + Sections: + .text: + Entropy: 6.329047072816416 + Virtual Size: '0xee62' + .rdata: + Entropy: 7.874863723842617 + Virtual Size: '0x116164' + .data: + Entropy: 1.4228529560727312 + Virtual Size: '0x2608' + .pdata: + Entropy: 4.838191412178099 + Virtual Size: '0x6b4' + INIT: + Entropy: 5.354478421940713 + Virtual Size: '0xb3c' + .rsrc: + Entropy: 3.337476767732356 + Virtual Size: '0x400' + .reloc: + Entropy: 1.3463891478457575 + Virtual Size: '0x174' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-07 08:50:35' +- Filename: windbg.sys + MD5: 093a2a635c3a27aac50efd6463f4efa1 + SHA1: b34a012887ddab761b2298f882858fa1ff4d99f1 + SHA256: 5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: I386 + OriginalFilename: windbg.sys + Authentihash: + MD5: dab51577c44fda1574532847f4deb56c + SHA1: c7cb92f60ffe07d1c9bfa43ea1213f8c8f766022 + SHA256: 6ee267fc3d0ac2662a9cfdb0ed5a2354ee09ef4c218303f20350177cae125cf7 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - IoDeleteDevice + - IoDetachDevice + - memcpy + - memset + - ZwClose + - ExFreePoolWithTag + - ExAllocatePoolWithTag + - ObOpenObjectByPointer + - PsProcessType + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlInitUnicodeString + - IofCallDriver + - PsGetCurrentProcessId + - IoGetLowerDeviceObject + - ObfDereferenceObject + - IoGetAttachedDeviceReference + - IoUnregisterShutdownNotification + - KeDelayExecutionThread + - IoAttachDeviceToDeviceStackSafe + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoRegisterShutdownNotification + - IoUnregisterFsRegistrationChange + - IoRegisterFsRegistrationChange + - _vsnwprintf + - PsGetVersion + - ZwAllocateVirtualMemory + - MmUnmapLockedPages + - IoFreeMdl + - MmMapLockedPages + - MmBuildMdlForNonPagedPool + - MmCreateMdl + - ZwReadFile + - ZwQueryInformationFile + - IoCreateFile + - _wcsicmp + - _wcsnicmp + - RtlEqualUnicodeString + - ZwWriteFile + - ZwFlushKey + - ZwSetValueKey + - ZwQueryValueKey + - RtlRandom + - KeQuerySystemTime + - ZwDeleteKey + - ZwOpenKey + - ZwEnumerateKey + - IoFreeIrp + - KeSetEvent + - KeWaitForSingleObject + - KeGetCurrentThread + - KeInitializeEvent + - IoAllocateIrp + - IoGetRelatedDeviceObject + - ObReferenceObjectByHandle + - IoFileObjectType + - ObQueryNameString + - RtlCopyUnicodeString + - MmIsAddressValid + - PsGetProcessPeb + - RtlCreateUnicodeString + - ZwDeleteValueKey + - ZwCreateKey + - RtlFreeUnicodeString + - ZwDeleteFile + - PsRemoveLoadImageNotifyRoutine + - CmUnRegisterCallback + - PsSetLoadImageNotifyRoutine + - CmRegisterCallback + - ObReferenceObjectByName + - ZwFreeVirtualMemory + - ZwWaitForSingleObject + - KeUnstackDetachProcess + - KeStackAttachProcess + - ZwDuplicateObject + - PsGetProcessSessionId + - _strnicmp + - RtlSubAuthoritySid + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - ZwOpenProcessTokenEx + - PsTerminateSystemThread + - PsThreadType + - PsCreateSystemThread + - KeTickCount + - KeBugCheckEx + - _vsnprintf + - strncmp + - strchr + - strncpy + - strstr + - ExAllocatePool + - _stricmp + - rand + - ZwCreateFile + - IoBuildDeviceIoControlRequest + - MmProbeAndLockPages + - IoAllocateMdl + - _allshl + - RtlUnwind + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=, ??=, ??=Private Organization, serialNumber=91420100MA4KN92W72, + C=CN, ST=, L=, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia + Yiyong Technology Co., Ltd. + ValidFrom: '2020-11-17 00:00:00' + ValidTo: '2023-11-12 23:59:59' + Signature: 9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 012eab44fa8853d913e7107c89406432 + Version: 3 + TBS: + MD5: 5d40693a8cfc4fd21f0c610ed3ee8477 + SHA1: 4dffeb59ea4c32c7b87c9fe44d55f5e622444824 + SHA256: d7380ff1b3d400fdf8cf2d8ab18ac65a071ae51c83cce017fa236fb530c4af74 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 012eab44fa8853d913e7107c89406432 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: e1c6e942db6887e4c9e630b5bb75c313 + SHA1: e703cd9718363d923287424967d01ca57fc8a842 + SHA256: 8afa5d95d504001486a7641c204a06b483d2cf4f3b4ed072606cc05759996d9d + Sections: + .text: + Entropy: 6.5601743726896915 + Virtual Size: '0xcf52' + .rdata: + Entropy: 7.956474654695534 + Virtual Size: '0xdc5e4' + .data: + Entropy: 2.3758735106170197 + Virtual Size: '0x2420' + INIT: + Entropy: 5.700732148931988 + Virtual Size: '0xa1a' + .rsrc: + Entropy: 3.337476767732356 + Virtual Size: '0x400' + .reloc: + Entropy: 3.4327474207821553 + Virtual Size: '0x144e' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-30 04:24:09' +- Filename: windbg.sys + MD5: 844af8c877f5da723c1b82cf6e213fc1 + SHA1: 4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a + SHA256: 6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77 + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: AMD64 + OriginalFilename: windbg.sys + Authentihash: + MD5: 98a3ab2b723de48256701b417ff87a65 + SHA1: ff80d6663a92ff454526e88847cbb4d9bd00e21e + SHA256: 79278979d9300670d1084493bbc03ae374efc5ab02850941e85753885fa88e47 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - PsProcessType + - IoGetLowerDeviceObject + - ExFreePoolWithTag + - IoRegisterShutdownNotification + - IoAttachDeviceToDeviceStackSafe + - PsLookupProcessByProcessId + - RtlInitUnicodeString + - IoDeleteDevice + - MmGetSystemRoutineAddress + - IoDetachDevice + - KeDelayExecutionThread + - IoUnregisterShutdownNotification + - ZwClose + - IoGetAttachedDeviceReference + - PsGetCurrentProcessId + - ObfDereferenceObject + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoUnregisterFsRegistrationChange + - ObOpenObjectByPointer + - IoRegisterFsRegistrationChange + - IofCallDriver + - MmUnmapLockedPages + - _wcsicmp + - PsGetProcessPeb + - ZwCreateKey + - RtlCreateUnicodeString + - MmMapLockedPages + - PsSetLoadImageNotifyRoutine + - _wcsnicmp + - ZwReadFile + - IoGetRelatedDeviceObject + - KeSetEvent + - IoCreateFile + - KeInitializeEvent + - ZwDeleteValueKey + - ZwSetValueKey + - RtlEqualUnicodeString + - MmBuildMdlForNonPagedPool + - IoFreeMdl + - RtlFreeUnicodeString + - ObQueryNameString + - IoFileObjectType + - ZwQueryValueKey + - _vsnwprintf + - RtlRandom + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsRemoveLoadImageNotifyRoutine + - ZwFlushKey + - MmCreateMdl + - IoFreeIrp + - ZwDeleteFile + - PsGetVersion + - IoAllocateIrp + - CmRegisterCallback + - RtlCopyUnicodeString + - MmIsAddressValid + - CmUnRegisterCallback + - ZwQueryInformationFile + - ZwWriteFile + - ZwDeleteKey + - ZwEnumerateKey + - ZwAllocateVirtualMemory + - ZwOpenKey + - KeUnstackDetachProcess + - ZwWaitForSingleObject + - ZwFreeVirtualMemory + - PsGetProcessSessionId + - ZwDuplicateObject + - ObReferenceObjectByName + - KeStackAttachProcess + - RtlSubAuthoritySid + - _strnicmp + - ZwOpenProcessTokenEx + - PsCreateSystemThread + - PsTerminateSystemThread + - PsThreadType + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - KeBugCheckEx + - strncmp + - strstr + - strchr + - strncpy + - _vsnprintf + - rand + - _stricmp + - ExAllocatePool + - IoBuildDeviceIoControlRequest + - ZwCreateFile + - MmProbeAndLockPages + - IoAllocateMdl + - __C_specific_handler + Signatures: {} + RichPEHeaderHash: + MD5: 0b8725117e665d5272218cb41038327d + SHA1: a6dde20a0c8ba6cfe531ce1a57035b8d7b3d900a + SHA256: b54213d1248761579f5f569ab7e32402dd88a12622377d381f7eb55d4f4eb053 + Sections: + .text: + Entropy: 6.316212989532183 + Virtual Size: '0xf332' + .rdata: + Entropy: 7.924187513971753 + Virtual Size: '0x1100cc' + .data: + Entropy: 1.4059711626373768 + Virtual Size: '0x2608' + .pdata: + Entropy: 4.843716813714921 + Virtual Size: '0x6d8' + INIT: + Entropy: 5.256170796244334 + Virtual Size: '0xb70' + .rsrc: + Entropy: 3.333432129597516 + Virtual Size: '0x400' + .reloc: + Entropy: 1.3463891478457575 + Virtual Size: '0x174' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-30 04:23:58' +- Filename: windbg.sys + MD5: 2ec877e425bd7eddb663627216e3491e + SHA1: d4f5323da704ff2f25d6b97f38763c147f2a0e6f + SHA256: 32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: AMD64 + OriginalFilename: windbg.sys + Authentihash: + MD5: 75c70824590d4db183418c7fd9e47d2d + SHA1: 1ccd8bc3104fe1654806752e1e6730d3ee0b4ee4 + SHA256: e7e7824d611527b67fc36128da1b35d9b8ce3ffdab3fb96e3dbabd6e9c9570c0 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - PsProcessType + - IoGetLowerDeviceObject + - ExFreePoolWithTag + - IoRegisterShutdownNotification + - IoAttachDeviceToDeviceStackSafe + - PsLookupProcessByProcessId + - RtlInitUnicodeString + - IoDeleteDevice + - MmGetSystemRoutineAddress + - IoDetachDevice + - KeDelayExecutionThread + - IoUnregisterShutdownNotification + - ZwClose + - IoGetAttachedDeviceReference + - PsGetCurrentProcessId + - ObfDereferenceObject + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoUnregisterFsRegistrationChange + - ObOpenObjectByPointer + - IoRegisterFsRegistrationChange + - IofCallDriver + - MmUnmapLockedPages + - _wcsicmp + - PsGetProcessPeb + - ZwCreateKey + - RtlCreateUnicodeString + - MmMapLockedPages + - PsSetLoadImageNotifyRoutine + - _wcsnicmp + - ZwReadFile + - IoCreateFile + - ZwDeleteValueKey + - ZwSetValueKey + - RtlEqualUnicodeString + - MmBuildMdlForNonPagedPool + - IoFreeMdl + - RtlFreeUnicodeString + - ObQueryNameString + - ZwQueryValueKey + - _vsnwprintf + - RtlRandom + - PsRemoveLoadImageNotifyRoutine + - ZwFlushKey + - MmCreateMdl + - ZwDeleteFile + - PsGetVersion + - CmRegisterCallback + - RtlCopyUnicodeString + - MmIsAddressValid + - CmUnRegisterCallback + - ZwQueryInformationFile + - ZwWriteFile + - ZwDeleteKey + - ZwEnumerateKey + - ZwAllocateVirtualMemory + - ZwOpenKey + - KeUnstackDetachProcess + - ZwWaitForSingleObject + - ZwFreeVirtualMemory + - PsGetProcessSessionId + - ZwDuplicateObject + - ObReferenceObjectByName + - KeStackAttachProcess + - RtlSubAuthoritySid + - _strnicmp + - KeSetEvent + - KeInitializeEvent + - ZwOpenProcessTokenEx + - PsCreateSystemThread + - PsTerminateSystemThread + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - KeBugCheckEx + - strncmp + - strstr + - strchr + - strncpy + - _vsnprintf + - rand + - _stricmp + - ExAllocatePool + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - ZwCreateFile + - IoFreeIrp + - MmProbeAndLockPages + - IoAllocateMdl + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Shandong, L=Binzhou, O=Binzhoushi Yongyu Feed Co.,LTd., CN=Binzhoushi + Yongyu Feed Co.,LTd. + ValidFrom: '2014-01-17 00:00:00' + ValidTo: '2016-01-17 23:59:59' + Signature: 565de91bd9b0bbefe729b5e1a4070c18ee9855ad678967425dd8f4284cdd54fd20affa0449eb2061c26c0720e6b64ee7323461482ad375a2223074f1d41c96b48249ef810d1dc390b89890e703a407c05c7f5d8670573f22dcf7aa210b6d35793423e62a015309d1b37bc59664c32778d78bda41c215a9db9f13c95d922b5d2c0a798b3a642f50cc1aa12db6a398ab2741ce185e65d24ecbcad0d2309cf28530ae4c2ab4207dd35168d612ba3974230fd8d6121f4a9bd47b8ccb5e431f56e7b7f31e879a0f905dc16d1b73f0aa3ef9aeef75a471c09d484c1f474f97fcae827f29cedbd9f022d3e14a1d7ed7792a62b581f58e5e74c5eae41a32b9cc1da2f889 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 5d11784fb81765023f89a4f4243fe1a9 + Version: 3 + TBS: + MD5: b5ff0da6f1d327dca52b08e9c7c8d439 + SHA1: c7acfdfc234a3bb37535cbe2785d9202b4b0a10c + SHA256: 80a8f0e8652dcea59596b4238f4c2d9f0212a25ea7434fde70a68a202b7ed0b1 + - Subject: C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2 + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47974d7873a5bcab0d2fb370192fce5e + Version: 3 + TBS: + MD5: e3a93dc2a8a8a668fdbb286bfe9afab5 + SHA1: 95795d2aa2a554a423bc8c6e5b0a016d14887d35 + SHA256: d8844186775bddbccaf3dc017064df7d760fd4b85c5d07561a3efd7da950f89e + - Subject: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 + thawte, Inc. , For authorized use only, CN=thawte Primary Root CA + ValidFrom: '2011-02-22 19:31:57' + ValidTo: '2021-02-22 19:41:57' + Signature: 2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611fb0a400000000001d + Version: 3 + TBS: + MD5: a3f222107d4e1085e73b5b589c2f480b + SHA1: b94aa26cd77c48d91a53ac44506cbd255e1d362c + SHA256: a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa + Signer: + - SerialNumber: 5d11784fb81765023f89a4f4243fe1a9 + Issuer: C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2 + Version: 1 + RichPEHeaderHash: + MD5: 57462998048f7ee977ca73cacd0a8a2a + SHA1: f1a4626b2b16389bf879d451c63ff53bca825d23 + SHA256: 9e96e39a30076c985ce6aa3547b8279c8f471122a0b25bebde5a189d9795d427 + Sections: + .text: + Entropy: 6.3276248460048405 + Virtual Size: '0xee62' + .rdata: + Entropy: 7.875642919708588 + Virtual Size: '0x116164' + .data: + Entropy: 1.4228529560727312 + Virtual Size: '0x2608' + .pdata: + Entropy: 4.838191412178099 + Virtual Size: '0x6b4' + INIT: + Entropy: 5.354478421940713 + Virtual Size: '0xb3c' + .rsrc: + Entropy: 3.337476767732356 + Virtual Size: '0x400' + .reloc: + Entropy: 1.3463891478457575 + Virtual Size: '0x174' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-08 03:14:00' +- Filename: windbg.sys + MD5: 0023ca0ca16a62d93ef51f3df98b2f94 + SHA1: 97812f334a077c40e8e642bb9872ac2c49ddb9a2 + SHA256: 50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76 + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: AMD64 + OriginalFilename: windbg.sys + Authentihash: + MD5: c12f9f4027088d2ca69b2d2fec33131b + SHA1: f73aa876791246fb7486214e4d3f81a0d375e649 + SHA256: 88b901ce8ee199bc371e9cf39ab5375d31c6881a25ba5827e9b32ba7946ecda1 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExAllocatePool + - NtQuerySystemInformation + - ExFreePoolWithTag + - IoAllocateMdl + - MmProbeAndLockPages + - MmMapLockedPagesSpecifyCache + - MmUnlockPages + - IoFreeMdl + - KeQueryActiveProcessors + - KeSetSystemAffinityThread + - KeRevertToUserAffinityThread + - DbgPrint + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=, ??=, ??=Private Organization, serialNumber=91420100MA4KN92W72, + C=CN, ST=, L=, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia + Yiyong Technology Co., Ltd. + ValidFrom: '2020-11-17 00:00:00' + ValidTo: '2023-11-12 23:59:59' + Signature: 9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 012eab44fa8853d913e7107c89406432 + Version: 3 + TBS: + MD5: 5d40693a8cfc4fd21f0c610ed3ee8477 + SHA1: 4dffeb59ea4c32c7b87c9fe44d55f5e622444824 + SHA256: d7380ff1b3d400fdf8cf2d8ab18ac65a071ae51c83cce017fa236fb530c4af74 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 012eab44fa8853d913e7107c89406432 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: ffdf660eb1ebf020a1d0a55a90712dfb + SHA1: 3e905e3d061d0d59de61fcf39c994fcb0ec1bab3 + SHA256: 2b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6 + Sections: + .text: + Entropy: 0.0 + Virtual Size: '0xecf2' + .rdata: + Entropy: 0.0 + Virtual Size: '0x11139c' + .data: + Entropy: 0.0 + Virtual Size: '0x2608' + .pdata: + Entropy: 0.0 + Virtual Size: '0x6a8' + INIT: + Entropy: 0.0 + Virtual Size: '0xb3c' + .%V,: + Entropy: 0.0 + Virtual Size: '0x2f1e75' + .vK6: + Entropy: 0.44041120165049624 + Virtual Size: '0x410' + .ubd: + Entropy: 7.791669802177395 + Virtual Size: '0x66d38c' + .reloc: + Entropy: 3.688528320309426 + Virtual Size: '0xf0' + .rsrc: + Entropy: 3.3574600171780125 + Virtual Size: '0x3f8' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-09 06:55:38' +- Filename: windbg.sys + MD5: f69b06ca7c34d16f26ea1c6861edf62a + SHA1: fdbcebb6cafda927d384d7be2e8063a4377d884f + SHA256: 770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: AMD64 + OriginalFilename: windbg.sys + Authentihash: + MD5: 5d9b4ff04047d06a76354c7f7caa1e9e + SHA1: 6230645a707228e023d7fc9c5c86c340be05f9c3 + SHA256: 28d3a5a85eef4561c4ad08fd83aca4f7a946f8dca8bfb7958a855a80197f68a6 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - PsProcessType + - IoGetLowerDeviceObject + - ExFreePoolWithTag + - IoRegisterShutdownNotification + - IoAttachDeviceToDeviceStackSafe + - PsLookupProcessByProcessId + - RtlInitUnicodeString + - IoDeleteDevice + - MmGetSystemRoutineAddress + - IoDetachDevice + - KeDelayExecutionThread + - IoUnregisterShutdownNotification + - ZwClose + - IoGetAttachedDeviceReference + - PsGetCurrentProcessId + - ObfDereferenceObject + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoUnregisterFsRegistrationChange + - ObOpenObjectByPointer + - IoRegisterFsRegistrationChange + - IofCallDriver + - MmUnmapLockedPages + - _wcsicmp + - PsGetProcessPeb + - ZwCreateKey + - RtlCreateUnicodeString + - MmMapLockedPages + - PsSetLoadImageNotifyRoutine + - _wcsnicmp + - ZwReadFile + - IoGetRelatedDeviceObject + - KeSetEvent + - IoCreateFile + - KeInitializeEvent + - ZwDeleteValueKey + - ZwSetValueKey + - RtlEqualUnicodeString + - MmBuildMdlForNonPagedPool + - IoFreeMdl + - RtlFreeUnicodeString + - ObQueryNameString + - IoFileObjectType + - ZwQueryValueKey + - _vsnwprintf + - RtlRandom + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsRemoveLoadImageNotifyRoutine + - ZwFlushKey + - MmCreateMdl + - IoFreeIrp + - ZwDeleteFile + - PsGetVersion + - IoAllocateIrp + - CmRegisterCallback + - RtlCopyUnicodeString + - MmIsAddressValid + - CmUnRegisterCallback + - ZwQueryInformationFile + - ZwWriteFile + - ZwDeleteKey + - ZwEnumerateKey + - ZwAllocateVirtualMemory + - ZwOpenKey + - KeUnstackDetachProcess + - ZwWaitForSingleObject + - ZwFreeVirtualMemory + - PsGetProcessSessionId + - ZwDuplicateObject + - ObReferenceObjectByName + - KeStackAttachProcess + - RtlSubAuthoritySid + - _strnicmp + - ZwOpenProcessTokenEx + - PsCreateSystemThread + - PsTerminateSystemThread + - PsThreadType + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - KeBugCheckEx + - strncmp + - strstr + - strchr + - strncpy + - _vsnprintf + - rand + - _stricmp + - ExAllocatePool + - IoBuildDeviceIoControlRequest + - ZwCreateFile + - MmProbeAndLockPages + - IoAllocateMdl + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=, ??=, ??=Private Organization, serialNumber=91420100MA4KN92W72, + C=CN, ST=, L=, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia + Yiyong Technology Co., Ltd. + ValidFrom: '2020-11-17 00:00:00' + ValidTo: '2023-11-12 23:59:59' + Signature: 9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 012eab44fa8853d913e7107c89406432 + Version: 3 + TBS: + MD5: 5d40693a8cfc4fd21f0c610ed3ee8477 + SHA1: 4dffeb59ea4c32c7b87c9fe44d55f5e622444824 + SHA256: d7380ff1b3d400fdf8cf2d8ab18ac65a071ae51c83cce017fa236fb530c4af74 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 012eab44fa8853d913e7107c89406432 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: 0b8725117e665d5272218cb41038327d + SHA1: a6dde20a0c8ba6cfe531ce1a57035b8d7b3d900a + SHA256: b54213d1248761579f5f569ab7e32402dd88a12622377d381f7eb55d4f4eb053 + Sections: + .text: + Entropy: 6.31593365316145 + Virtual Size: '0xf332' + .rdata: + Entropy: 7.924187513971753 + Virtual Size: '0x1100cc' + .data: + Entropy: 1.4059711626373768 + Virtual Size: '0x2608' + .pdata: + Entropy: 4.843716813714921 + Virtual Size: '0x6d8' + INIT: + Entropy: 5.256170796244334 + Virtual Size: '0xb70' + .rsrc: + Entropy: 3.333432129597516 + Virtual Size: '0x400' + .reloc: + Entropy: 1.3463891478457575 + Virtual Size: '0x174' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-30 04:23:58' +- Filename: windbg.sys + MD5: e8eac6642b882a6196555539149c73f2 + SHA1: 3825ebb0b0664b5f0789371240f65231693be37d + SHA256: 86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62 + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: AMD64 + OriginalFilename: windbg.sys + Authentihash: + MD5: 1584b06241f08d74434a452e798b2809 + SHA1: 8eca36d54d04736f61f54285bcee8c30ed892553 + SHA256: ff6108dd2017f9bc7ea93c43c1afbda0f1cc7b00f5afafb4ce3cf0a193e9598b + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - PsProcessType + - IoGetLowerDeviceObject + - ExFreePoolWithTag + - IoRegisterShutdownNotification + - IoAttachDeviceToDeviceStackSafe + - PsLookupProcessByProcessId + - RtlInitUnicodeString + - IoDeleteDevice + - MmGetSystemRoutineAddress + - IoDetachDevice + - KeDelayExecutionThread + - IoUnregisterShutdownNotification + - ZwClose + - IoGetAttachedDeviceReference + - PsGetCurrentProcessId + - ObfDereferenceObject + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoUnregisterFsRegistrationChange + - ObOpenObjectByPointer + - IoRegisterFsRegistrationChange + - IofCallDriver + - MmUnmapLockedPages + - _wcsicmp + - PsGetProcessPeb + - ZwCreateKey + - RtlCreateUnicodeString + - MmMapLockedPages + - PsSetLoadImageNotifyRoutine + - _wcsnicmp + - ZwReadFile + - IoGetRelatedDeviceObject + - KeSetEvent + - IoCreateFile + - KeInitializeEvent + - ZwDeleteValueKey + - ZwSetValueKey + - RtlEqualUnicodeString + - MmBuildMdlForNonPagedPool + - IoFreeMdl + - RtlFreeUnicodeString + - ObQueryNameString + - IoFileObjectType + - ZwQueryValueKey + - _vsnwprintf + - RtlRandom + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsRemoveLoadImageNotifyRoutine + - ZwFlushKey + - MmCreateMdl + - IoFreeIrp + - ZwDeleteFile + - PsGetVersion + - IoAllocateIrp + - CmRegisterCallback + - RtlCopyUnicodeString + - MmIsAddressValid + - CmUnRegisterCallback + - ZwQueryInformationFile + - ZwWriteFile + - ZwDeleteKey + - ZwEnumerateKey + - ZwAllocateVirtualMemory + - ZwOpenKey + - KeUnstackDetachProcess + - ZwWaitForSingleObject + - ZwFreeVirtualMemory + - PsGetProcessSessionId + - ZwDuplicateObject + - ObReferenceObjectByName + - KeStackAttachProcess + - RtlSubAuthoritySid + - _strnicmp + - ZwOpenProcessTokenEx + - PsCreateSystemThread + - PsTerminateSystemThread + - PsThreadType + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - KeBugCheckEx + - strncmp + - strstr + - strchr + - strncpy + - _vsnprintf + - rand + - _stricmp + - ExAllocatePool + - IoBuildDeviceIoControlRequest + - ZwCreateFile + - MmProbeAndLockPages + - IoAllocateMdl + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=, ??=, ??=Private Organization, serialNumber=91420100MA4KN92W72, + C=CN, ST=, L=, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia + Yiyong Technology Co., Ltd. + ValidFrom: '2020-11-17 00:00:00' + ValidTo: '2023-11-12 23:59:59' + Signature: 9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 012eab44fa8853d913e7107c89406432 + Version: 3 + TBS: + MD5: 5d40693a8cfc4fd21f0c610ed3ee8477 + SHA1: 4dffeb59ea4c32c7b87c9fe44d55f5e622444824 + SHA256: d7380ff1b3d400fdf8cf2d8ab18ac65a071ae51c83cce017fa236fb530c4af74 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 012eab44fa8853d913e7107c89406432 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: 0b8725117e665d5272218cb41038327d + SHA1: a6dde20a0c8ba6cfe531ce1a57035b8d7b3d900a + SHA256: b54213d1248761579f5f569ab7e32402dd88a12622377d381f7eb55d4f4eb053 + Sections: + .text: + Entropy: 6.316575464847126 + Virtual Size: '0xf332' + .rdata: + Entropy: 7.924631486386995 + Virtual Size: '0x1104dc' + .data: + Entropy: 1.4059711626373768 + Virtual Size: '0x2608' + .pdata: + Entropy: 4.817825512018466 + Virtual Size: '0x6d8' + INIT: + Entropy: 5.256170796244334 + Virtual Size: '0xb70' + .rsrc: + Entropy: 3.333432129597516 + Virtual Size: '0x400' + .reloc: + Entropy: 1.3463891478457575 + Virtual Size: '0x174' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-27 22:28:03' +- Filename: windbg.sys + MD5: 5ebfc0af031130ba9de1d5d3275734b3 + SHA1: 48f03a13b0f6d3d929a86514ce48a9352ffef5ad + SHA256: bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: AMD64 + OriginalFilename: windbg.sys + Authentihash: + MD5: 1959eac3bb98c3032791b0dc6d662281 + SHA1: f8df5fd765770a56c227c66b47edcf38f868ef33 + SHA256: a0801ade5de44b65afb8c275e11e4d766ae64af1a5740ad4f1db1acc4e088774 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - PsProcessType + - IoGetLowerDeviceObject + - ExFreePoolWithTag + - IoRegisterShutdownNotification + - IoAttachDeviceToDeviceStackSafe + - PsLookupProcessByProcessId + - RtlInitUnicodeString + - IoDeleteDevice + - MmGetSystemRoutineAddress + - IoDetachDevice + - KeDelayExecutionThread + - IoUnregisterShutdownNotification + - ZwClose + - IoGetAttachedDeviceReference + - PsGetCurrentProcessId + - ObfDereferenceObject + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoUnregisterFsRegistrationChange + - ObOpenObjectByPointer + - IoRegisterFsRegistrationChange + - IofCallDriver + - MmUnmapLockedPages + - _wcsicmp + - PsGetProcessPeb + - ZwCreateKey + - RtlCreateUnicodeString + - MmMapLockedPages + - PsSetLoadImageNotifyRoutine + - _wcsnicmp + - ZwReadFile + - IoGetRelatedDeviceObject + - KeSetEvent + - IoCreateFile + - KeInitializeEvent + - ZwDeleteValueKey + - ZwSetValueKey + - RtlEqualUnicodeString + - MmBuildMdlForNonPagedPool + - IoFreeMdl + - RtlFreeUnicodeString + - ObQueryNameString + - IoFileObjectType + - ZwQueryValueKey + - _vsnwprintf + - RtlRandom + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsRemoveLoadImageNotifyRoutine + - ZwFlushKey + - MmCreateMdl + - IoFreeIrp + - ZwDeleteFile + - PsGetVersion + - IoAllocateIrp + - CmRegisterCallback + - RtlCopyUnicodeString + - MmIsAddressValid + - CmUnRegisterCallback + - ZwQueryInformationFile + - ZwWriteFile + - ZwDeleteKey + - ZwEnumerateKey + - ZwAllocateVirtualMemory + - ZwOpenKey + - KeUnstackDetachProcess + - ZwWaitForSingleObject + - ZwFreeVirtualMemory + - PsGetProcessSessionId + - ZwDuplicateObject + - ObReferenceObjectByName + - KeStackAttachProcess + - RtlSubAuthoritySid + - _strnicmp + - ZwOpenProcessTokenEx + - PsCreateSystemThread + - PsTerminateSystemThread + - PsThreadType + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - KeBugCheckEx + - strncmp + - strstr + - strchr + - strncpy + - _vsnprintf + - rand + - _stricmp + - ExAllocatePool + - IoBuildDeviceIoControlRequest + - ZwCreateFile + - MmProbeAndLockPages + - IoAllocateMdl + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=, ??=, ??=Private Organization, serialNumber=91420100MA4KN92W72, + C=CN, ST=, L=, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia + Yiyong Technology Co., Ltd. + ValidFrom: '2020-11-17 00:00:00' + ValidTo: '2023-11-12 23:59:59' + Signature: 9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 012eab44fa8853d913e7107c89406432 + Version: 3 + TBS: + MD5: 5d40693a8cfc4fd21f0c610ed3ee8477 + SHA1: 4dffeb59ea4c32c7b87c9fe44d55f5e622444824 + SHA256: d7380ff1b3d400fdf8cf2d8ab18ac65a071ae51c83cce017fa236fb530c4af74 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 012eab44fa8853d913e7107c89406432 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: 0b8725117e665d5272218cb41038327d + SHA1: a6dde20a0c8ba6cfe531ce1a57035b8d7b3d900a + SHA256: b54213d1248761579f5f569ab7e32402dd88a12622377d381f7eb55d4f4eb053 + Sections: + .text: + Entropy: 6.315949532585678 + Virtual Size: '0xf332' + .rdata: + Entropy: 7.924187513971753 + Virtual Size: '0x1100cc' + .data: + Entropy: 1.4059711626373768 + Virtual Size: '0x2608' + .pdata: + Entropy: 4.843716813714921 + Virtual Size: '0x6d8' + INIT: + Entropy: 5.256170796244334 + Virtual Size: '0xb70' + .rsrc: + Entropy: 3.333432129597516 + Virtual Size: '0x400' + .reloc: + Entropy: 1.3463891478457575 + Virtual Size: '0x174' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-30 04:23:58' +- Filename: windbg.sys + MD5: 40b968ecdbe9e967d92c5da51c390eee + SHA1: b8b123a413b7bccfa8433deba4f88669c969b543 + SHA256: 06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: AMD64 + OriginalFilename: windbg.sys + Authentihash: + MD5: 98a3ab2b723de48256701b417ff87a65 + SHA1: ff80d6663a92ff454526e88847cbb4d9bd00e21e + SHA256: 79278979d9300670d1084493bbc03ae374efc5ab02850941e85753885fa88e47 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - PsProcessType + - IoGetLowerDeviceObject + - ExFreePoolWithTag + - IoRegisterShutdownNotification + - IoAttachDeviceToDeviceStackSafe + - PsLookupProcessByProcessId + - RtlInitUnicodeString + - IoDeleteDevice + - MmGetSystemRoutineAddress + - IoDetachDevice + - KeDelayExecutionThread + - IoUnregisterShutdownNotification + - ZwClose + - IoGetAttachedDeviceReference + - PsGetCurrentProcessId + - ObfDereferenceObject + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoUnregisterFsRegistrationChange + - ObOpenObjectByPointer + - IoRegisterFsRegistrationChange + - IofCallDriver + - MmUnmapLockedPages + - _wcsicmp + - PsGetProcessPeb + - ZwCreateKey + - RtlCreateUnicodeString + - MmMapLockedPages + - PsSetLoadImageNotifyRoutine + - _wcsnicmp + - ZwReadFile + - IoGetRelatedDeviceObject + - KeSetEvent + - IoCreateFile + - KeInitializeEvent + - ZwDeleteValueKey + - ZwSetValueKey + - RtlEqualUnicodeString + - MmBuildMdlForNonPagedPool + - IoFreeMdl + - RtlFreeUnicodeString + - ObQueryNameString + - IoFileObjectType + - ZwQueryValueKey + - _vsnwprintf + - RtlRandom + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsRemoveLoadImageNotifyRoutine + - ZwFlushKey + - MmCreateMdl + - IoFreeIrp + - ZwDeleteFile + - PsGetVersion + - IoAllocateIrp + - CmRegisterCallback + - RtlCopyUnicodeString + - MmIsAddressValid + - CmUnRegisterCallback + - ZwQueryInformationFile + - ZwWriteFile + - ZwDeleteKey + - ZwEnumerateKey + - ZwAllocateVirtualMemory + - ZwOpenKey + - KeUnstackDetachProcess + - ZwWaitForSingleObject + - ZwFreeVirtualMemory + - PsGetProcessSessionId + - ZwDuplicateObject + - ObReferenceObjectByName + - KeStackAttachProcess + - RtlSubAuthoritySid + - _strnicmp + - ZwOpenProcessTokenEx + - PsCreateSystemThread + - PsTerminateSystemThread + - PsThreadType + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - KeBugCheckEx + - strncmp + - strstr + - strchr + - strncpy + - _vsnprintf + - rand + - _stricmp + - ExAllocatePool + - IoBuildDeviceIoControlRequest + - ZwCreateFile + - MmProbeAndLockPages + - IoAllocateMdl + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + ValidFrom: '2023-01-12 19:14:52' + ValidTo: '2023-12-15 19:14:52' + Signature: 5548d9042f4a8d4776b5fccbacda2e58d5161fb7932287aa5da1c9afaca15c230908ed96adeb0f6a86dc3972a85de00fb4d4db0a52394116887998fd673f57a0520fa1e39806b348e555cfe5a419c501a0fbfbdb79e88d37656735fa6cd56d5c465fe3871f5157e357d73956d4586bd50508522be7e24d2357d7ab53e3ae46d2d168e52d0d15761eaab962c36ee0791cabd33869f11f9512772261cda6249f16f85772116cc0585975600e5fe949e1a2bb85820ddf901b9e48ee805aacd1c826a1304916e2180de5d3ecc2fc0375d3a877ab8a058dda7e05aa91727523e579d17ce0dce414612d9b638b1ff5ad74d654c5b7e638a3cca372c5f51db638794ed6 + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 33000000f5e8773b206b1ccd610000000000f5 + Version: 3 + TBS: + MD5: bf6aed18e4c3fd6ac87330096df18117 + SHA1: f96be504b875f1e63bf51eacc6768e4fdecddcc6 + SHA256: 76c137a4dd29ebb1cb6a5d319d17e7049ad6d524f9de5d47c24c14b16a4f0720 + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2012 + ValidFrom: '2012-04-18 23:48:38' + ValidTo: '2027-04-18 23:58:38' + Signature: 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: 610baac1000000000009 + Version: 3 + TBS: + MD5: a569061297e8e824767dbc3184a69bea + SHA1: adbb26a587a8f44b4fccaecb306f980d1c55a150 + SHA256: cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 + Signer: + - SerialNumber: 33000000f5e8773b206b1ccd610000000000f5 + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2012 + Version: 1 + RichPEHeaderHash: + MD5: 0b8725117e665d5272218cb41038327d + SHA1: a6dde20a0c8ba6cfe531ce1a57035b8d7b3d900a + SHA256: b54213d1248761579f5f569ab7e32402dd88a12622377d381f7eb55d4f4eb053 + Sections: + .text: + Entropy: 6.316212989532183 + Virtual Size: '0xf332' + .rdata: + Entropy: 7.924187513971753 + Virtual Size: '0x1100cc' + .data: + Entropy: 1.4059711626373768 + Virtual Size: '0x2608' + .pdata: + Entropy: 4.843716813714921 + Virtual Size: '0x6d8' + INIT: + Entropy: 5.256170796244334 + Virtual Size: '0xb70' + .rsrc: + Entropy: 3.333432129597516 + Virtual Size: '0x400' + .reloc: + Entropy: 1.3463891478457575 + Virtual Size: '0x174' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-30 04:23:58' +- Filename: windbg.sys + MD5: c71be7b112059d2dc84c0f952e04e6cc + SHA1: 9ee31f1f25f675a12b7bad386244a9fbfa786a87 + SHA256: 6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724 + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: I386 + OriginalFilename: windbg.sys + Authentihash: + MD5: 01788e7162863cfe7aeba0f040a6cc08 + SHA1: ded2c02db6b5addf9d521361fd3657b2b6894a48 + SHA256: 223b320fb86cd4a1019ce31ac6901ce6bc41792810bd995db232dad790398852 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - IoDeleteDevice + - IoDetachDevice + - memcpy + - memset + - ZwClose + - ExFreePoolWithTag + - ExAllocatePoolWithTag + - ObOpenObjectByPointer + - PsProcessType + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlInitUnicodeString + - IofCallDriver + - PsGetCurrentProcessId + - IoGetLowerDeviceObject + - ObfDereferenceObject + - IoGetAttachedDeviceReference + - IoUnregisterShutdownNotification + - KeDelayExecutionThread + - IoAttachDeviceToDeviceStackSafe + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoRegisterShutdownNotification + - IoUnregisterFsRegistrationChange + - IoRegisterFsRegistrationChange + - _vsnwprintf + - PsGetVersion + - ZwAllocateVirtualMemory + - MmUnmapLockedPages + - IoFreeMdl + - MmMapLockedPages + - MmBuildMdlForNonPagedPool + - MmCreateMdl + - ZwReadFile + - ZwQueryInformationFile + - IoCreateFile + - _wcsicmp + - _wcsnicmp + - RtlEqualUnicodeString + - ZwWriteFile + - ZwFlushKey + - ZwSetValueKey + - ZwQueryValueKey + - RtlRandom + - KeQuerySystemTime + - ZwDeleteKey + - ZwOpenKey + - ZwEnumerateKey + - ObQueryNameString + - RtlCopyUnicodeString + - MmIsAddressValid + - PsGetProcessPeb + - RtlCreateUnicodeString + - ZwDeleteValueKey + - ZwCreateKey + - RtlFreeUnicodeString + - ZwDeleteFile + - PsRemoveLoadImageNotifyRoutine + - CmUnRegisterCallback + - PsSetLoadImageNotifyRoutine + - CmRegisterCallback + - ObReferenceObjectByName + - ZwFreeVirtualMemory + - ZwWaitForSingleObject + - KeUnstackDetachProcess + - KeStackAttachProcess + - ZwDuplicateObject + - PsGetProcessSessionId + - _strnicmp + - RtlSubAuthoritySid + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - ZwOpenProcessTokenEx + - PsTerminateSystemThread + - KeWaitForSingleObject + - ObReferenceObjectByHandle + - PsThreadType + - PsCreateSystemThread + - KeInitializeEvent + - KeSetEvent + - KeTickCount + - KeBugCheckEx + - _vsnprintf + - strncmp + - strchr + - strncpy + - strstr + - ExAllocatePool + - _stricmp + - rand + - ZwCreateFile + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - MmProbeAndLockPages + - IoFreeIrp + - IoAllocateMdl + - _allshl + - RtlUnwind + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Luyoudashi Technology Co., + Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Shenzhen + Luyoudashi Technology Co., Ltd. + ValidFrom: '2014-05-06 00:00:00' + ValidTo: '2015-05-06 23:59:59' + Signature: 14a41c7ad5dc6309c5b0390f4dbdec058fab41138c90e8a92e5316495d46210a64a3573a304cb2d791c50f3815a2b7ed11057018158311d061080686a2bd6a0a3c9097161b98e46ab15267b3bbdbd76d43d1bc9a239a24e98a6673e1b1c6ca83230ce3862e0d422f113bb3b5fb2b9254346f40c810f6e0bbc7f137f22d0d272a150eac91baf8513472d277290dfc55c7d2b22003c0fccad9a29fbceeba1586efae4bd98de245bda466f7eca00673d4418f90609b9a6c5cbf1a25a3373f2744a3974cd0ba89f9d1b23a02058dd151c0fda03ffca6a40a6d91c7678b675996b5c0c63f491428684be2367b5a60048f3543b5ddf6ba5270bbe376f5e2b62b14fe6a + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 5f9e06262d2eed425c886a4709350426 + Version: 3 + TBS: + MD5: e01323d4e9f20b9c042abdd9585d2d81 + SHA1: d1fab71f563191354037fe0bb8bf73718c721e45 + SHA256: 9db6a214ff40e20a9785ef23e93d98de1c0f3b018703c86e6c7cd0d4ade37a14 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + - Subject: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo + RSA Time Stamping CA + ValidFrom: '2019-05-02 00:00:00' + ValidTo: '2038-01-18 23:59:59' + Signature: 6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98 + SignatureAlgorithmOID: 1.2.840.113549.1.1.12 + IsCertificateAuthority: true + SerialNumber: 300f6facdd6698747ca94636a7782db9 + Version: 3 + TBS: + MD5: 63499ed59a1293b786649470e4ce0bd7 + SHA1: 7309d8eaa65da1f3da7030c08f00a3b0a20fa908 + SHA256: 8c8d2046b29e792e71b28705fe67c435208a336dde074a75452d98e72c734937 + - Subject: 'C=GB, ST=Manchester, O=Sectigo Limited, CN=Sectigo RSA Time Stamping + Signer #3' + ValidFrom: '2022-05-11 00:00:00' + ValidTo: '2033-08-10 23:59:59' + Signature: 73daed6872cbc2b940a131bbb403a32d147b24e7b45b157da8e9fdadd1920d7c3d36a069d9f39a30daac69d67457243f7e0f3cd9f5c379256c26e88d6893cef17789397fa80405da34c314ea9f0854abffc47e966c2bd394ebb46ce0454d2cb2f73b3b5ab5c1fbd789756d987272f6f70728f3d3b2d0eb19be152c78efcd45a000e4f80476bb57c590be775490749e0b4f4dc4aa138f97af01352bcb9b1178e9f2f989043c4ee3821262ebb4440c7541c20f34b8889dc822f1136adb182f6e78adc405b4e884089307f97d83fe689834e477e5b1ce8c946cdb036d2805477e9b2ef064fbdba40331107c1afb3c1980d10b70b9555f47be3964ceb7da235432e346b232d8d22986c9155d8095af02fbb4d12e9d387c35e00f1ced1b47489c226a5582d9f2ba086503e5f129f3488a09014ca679f2a2b61a9994eb9728e1be7d1ba17ced5680a6f4223390e48453fc2afac0a797a8eab58d7acee4e04ba133ab0b76a0d56916b78e66bf5ffa1fc4a87fa7a14814910d82fcbd4d99edc9e66c36fe774399b8692d7c612feda3b049fe5bbe692491ff93fc5769924bd9053f6d8672d3a2d0c064d23a42c11a03fbd0ed9a21b83fafa6b25154d54cc5ca1f128d57c639ed5cffec9f2676ad646667e8aa30e0d2adb77db16a41276e038aa374e08a09826ebfe3f6b7bc9e0b29186881a19c3f6e16594b1409099ae6aebf6015dd86f5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.12 + IsCertificateAuthority: false + SerialNumber: 0090397f9ad24a3a13f2bd915f0838a943 + Version: 3 + TBS: + MD5: 26ec2c9bfcb06fdf8a6d95f2c616fd72 + SHA1: 635466f1432046f6fd338624c068872ab6488b12 + SHA256: 2219bd6adf84dc8f6f04833974d150f75f5ce79cbf85788a6f7efaa4a5205839 + Signer: + - SerialNumber: 5f9e06262d2eed425c886a4709350426 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 + RichPEHeaderHash: + MD5: fcc2deab7e9faa5b1d77595feb500b14 + SHA1: 986d82b450e146954da1d2aa002df555a2458878 + SHA256: 8a1062d510272d9077cb3bc5a2afaeb4284c1d31bca2a87324830440d1165e6c + Sections: + .text: + Entropy: 6.537204681444195 + Virtual Size: '0xcbb8' + .rdata: + Entropy: 7.89986640817199 + Virtual Size: '0xe2184' + .data: + Entropy: 2.3812541502696827 + Virtual Size: '0x2420' + INIT: + Entropy: 5.640068534278057 + Virtual Size: '0x9d4' + .rsrc: + Entropy: 3.3328333229060245 + Virtual Size: '0x400' + .reloc: + Entropy: 3.325148925851967 + Virtual Size: '0x143c' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-07 08:50:54' +- Filename: windbg.sys + MD5: 0ea8389589c603a8b05146bd06020597 + SHA1: 3c1c3f5f5081127229ba0019fbf0efc2a9c1d677 + SHA256: f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: I386 + OriginalFilename: windbg.sys + Authentihash: + MD5: 0318de365e28ee38442c92b03747b088 + SHA1: ff0497dbd779bd65bbb7302b360dc0738a464e9b + SHA256: dd759c6b9c4222c7b19e8b0ba7288d7395594d6884b9bcdf0ccfada3e6b7a8d5 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - IoDeleteDevice + - IoDetachDevice + - memcpy + - memset + - ZwClose + - ExFreePoolWithTag + - ExAllocatePoolWithTag + - ObOpenObjectByPointer + - PsProcessType + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlInitUnicodeString + - IofCallDriver + - PsGetCurrentProcessId + - IoGetLowerDeviceObject + - ObfDereferenceObject + - IoGetAttachedDeviceReference + - IoUnregisterShutdownNotification + - KeDelayExecutionThread + - IoAttachDeviceToDeviceStackSafe + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoRegisterShutdownNotification + - IoUnregisterFsRegistrationChange + - IoRegisterFsRegistrationChange + - _vsnwprintf + - PsGetVersion + - ZwAllocateVirtualMemory + - MmUnmapLockedPages + - IoFreeMdl + - MmMapLockedPages + - MmBuildMdlForNonPagedPool + - MmCreateMdl + - ZwReadFile + - ZwQueryInformationFile + - IoCreateFile + - _wcsicmp + - _wcsnicmp + - RtlEqualUnicodeString + - ZwWriteFile + - ZwFlushKey + - ZwSetValueKey + - ZwQueryValueKey + - RtlRandom + - KeQuerySystemTime + - ZwDeleteKey + - ZwOpenKey + - ZwEnumerateKey + - ObQueryNameString + - RtlCopyUnicodeString + - MmIsAddressValid + - PsGetProcessPeb + - RtlCreateUnicodeString + - ZwDeleteValueKey + - ZwCreateKey + - RtlFreeUnicodeString + - ZwDeleteFile + - PsRemoveLoadImageNotifyRoutine + - CmUnRegisterCallback + - PsSetLoadImageNotifyRoutine + - CmRegisterCallback + - ObReferenceObjectByName + - ZwFreeVirtualMemory + - ZwWaitForSingleObject + - KeUnstackDetachProcess + - KeStackAttachProcess + - ZwDuplicateObject + - PsGetProcessSessionId + - _strnicmp + - RtlSubAuthoritySid + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - ZwOpenProcessTokenEx + - PsTerminateSystemThread + - KeWaitForSingleObject + - ObReferenceObjectByHandle + - PsThreadType + - PsCreateSystemThread + - KeInitializeEvent + - KeSetEvent + - KeTickCount + - KeBugCheckEx + - _vsnprintf + - strncmp + - strchr + - strncpy + - strstr + - ExAllocatePool + - _stricmp + - rand + - ZwCreateFile + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - MmProbeAndLockPages + - IoFreeIrp + - IoAllocateMdl + - _allshl + - RtlUnwind + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Shandong, L=Binzhou, O=Binzhoushi Yongyu Feed Co.,LTd., CN=Binzhoushi + Yongyu Feed Co.,LTd. + ValidFrom: '2014-01-17 00:00:00' + ValidTo: '2016-01-17 23:59:59' + Signature: 565de91bd9b0bbefe729b5e1a4070c18ee9855ad678967425dd8f4284cdd54fd20affa0449eb2061c26c0720e6b64ee7323461482ad375a2223074f1d41c96b48249ef810d1dc390b89890e703a407c05c7f5d8670573f22dcf7aa210b6d35793423e62a015309d1b37bc59664c32778d78bda41c215a9db9f13c95d922b5d2c0a798b3a642f50cc1aa12db6a398ab2741ce185e65d24ecbcad0d2309cf28530ae4c2ab4207dd35168d612ba3974230fd8d6121f4a9bd47b8ccb5e431f56e7b7f31e879a0f905dc16d1b73f0aa3ef9aeef75a471c09d484c1f474f97fcae827f29cedbd9f022d3e14a1d7ed7792a62b581f58e5e74c5eae41a32b9cc1da2f889 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 5d11784fb81765023f89a4f4243fe1a9 + Version: 3 + TBS: + MD5: b5ff0da6f1d327dca52b08e9c7c8d439 + SHA1: c7acfdfc234a3bb37535cbe2785d9202b4b0a10c + SHA256: 80a8f0e8652dcea59596b4238f4c2d9f0212a25ea7434fde70a68a202b7ed0b1 + - Subject: C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2 + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 47974d7873a5bcab0d2fb370192fce5e + Version: 3 + TBS: + MD5: e3a93dc2a8a8a668fdbb286bfe9afab5 + SHA1: 95795d2aa2a554a423bc8c6e5b0a016d14887d35 + SHA256: d8844186775bddbccaf3dc017064df7d760fd4b85c5d07561a3efd7da950f89e + - Subject: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 + thawte, Inc. , For authorized use only, CN=thawte Primary Root CA + ValidFrom: '2011-02-22 19:31:57' + ValidTo: '2021-02-22 19:41:57' + Signature: 2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611fb0a400000000001d + Version: 3 + TBS: + MD5: a3f222107d4e1085e73b5b589c2f480b + SHA1: b94aa26cd77c48d91a53ac44506cbd255e1d362c + SHA256: a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa + Signer: + - SerialNumber: 5d11784fb81765023f89a4f4243fe1a9 + Issuer: C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2 + Version: 1 + RichPEHeaderHash: + MD5: fcc2deab7e9faa5b1d77595feb500b14 + SHA1: 986d82b450e146954da1d2aa002df555a2458878 + SHA256: 8a1062d510272d9077cb3bc5a2afaeb4284c1d31bca2a87324830440d1165e6c + Sections: + .text: + Entropy: 6.5355947269042955 + Virtual Size: '0xcbb8' + .rdata: + Entropy: 7.900782744418186 + Virtual Size: '0xe2184' + .data: + Entropy: 2.3812541502696827 + Virtual Size: '0x2420' + INIT: + Entropy: 5.640068534278057 + Virtual Size: '0x9d4' + .rsrc: + Entropy: 3.3328333229060245 + Virtual Size: '0x400' + .reloc: + Entropy: 3.325148925851967 + Virtual Size: '0x143c' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-08 03:14:17' +- Filename: windbg.sys + MD5: 19bdd9b799e3c2c54c0d7fff68b31c20 + SHA1: ea4a405445bb6e58c16b81f6d5d2c9a9edde419b + SHA256: e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12 + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: I386 + OriginalFilename: windbg.sys + Authentihash: + MD5: 619b74b682d2abd190cb3e0ac5ecd6f7 + SHA1: ed5e61e534550b1f286d0801d4464d45f38d2739 + SHA256: 40e0be2ed5d07d5ecf14232fe64a95c7ad6fd942a60b4a6e21fda69c75bbb78d + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + - ntoskrnl.exe + - HAL.dll + ExportedFunctions: '' + ImportedFunctions: + - IoDeleteDevice + - ExAllocatePool + - NtQuerySystemInformation + - ExFreePoolWithTag + - IoAllocateMdl + - MmProbeAndLockPages + - MmMapLockedPagesSpecifyCache + - MmUnlockPages + - IoFreeMdl + - KeQueryActiveProcessors + - KeSetSystemAffinityThread + - KeRevertToUserAffinityThread + - DbgPrint + - _except_handler3 + - KeQueryPerformanceCounter + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=, ??=, ??=Private Organization, serialNumber=91420100MA4KN92W72, + C=CN, ST=, L=, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia + Yiyong Technology Co., Ltd. + ValidFrom: '2020-11-17 00:00:00' + ValidTo: '2023-11-12 23:59:59' + Signature: 9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 012eab44fa8853d913e7107c89406432 + Version: 3 + TBS: + MD5: 5d40693a8cfc4fd21f0c610ed3ee8477 + SHA1: 4dffeb59ea4c32c7b87c9fe44d55f5e622444824 + SHA256: d7380ff1b3d400fdf8cf2d8ab18ac65a071ae51c83cce017fa236fb530c4af74 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 012eab44fa8853d913e7107c89406432 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: ffdf660eb1ebf020a1d0a55a90712dfb + SHA1: 3e905e3d061d0d59de61fcf39c994fcb0ec1bab3 + SHA256: 2b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6 + Sections: + .text: + Entropy: 0.0 + Virtual Size: '0xcab8' + .rdata: + Entropy: 0.0 + Virtual Size: '0xdd534' + .data: + Entropy: 0.0 + Virtual Size: '0x2420' + INIT: + Entropy: 0.0 + Virtual Size: '0x9d4' + .!ah: + Entropy: 0.0 + Virtual Size: '0x13a13a' + .ayl: + Entropy: 0.8731292151353464 + Virtual Size: '0x240' + .a"#: + Entropy: 7.905485094234152 + Virtual Size: '0x353c10' + .reloc: + Entropy: 4.327337601167297 + Virtual Size: '0x5bc' + .rsrc: + Entropy: 3.3535230093039967 + Virtual Size: '0x3f8' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-09 06:55:46' +- Filename: windbg.sys + MD5: 88bea56ae9257b40063785cf47546024 + SHA1: b5a8e2104d76dbb04cd9ffe86784113585822375 + SHA256: e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: I386 + OriginalFilename: windbg.sys + Authentihash: + MD5: 265462dbda175886e0c02257f2385753 + SHA1: 0e45b675fec76249e64f8a2d4bd5483886b91169 + SHA256: 37a1a3fa4dc148924c1bfb60c88ffef082ee58cd0ee804d2de0f1d22c1e7802c + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - IoDeleteDevice + - IoDetachDevice + - memcpy + - memset + - ZwClose + - ExFreePoolWithTag + - ExAllocatePoolWithTag + - ObOpenObjectByPointer + - PsProcessType + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlInitUnicodeString + - IofCallDriver + - PsGetCurrentProcessId + - IoGetLowerDeviceObject + - ObfDereferenceObject + - IoGetAttachedDeviceReference + - IoUnregisterShutdownNotification + - KeDelayExecutionThread + - IoAttachDeviceToDeviceStackSafe + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoRegisterShutdownNotification + - IoUnregisterFsRegistrationChange + - IoRegisterFsRegistrationChange + - _vsnwprintf + - PsGetVersion + - ZwAllocateVirtualMemory + - MmUnmapLockedPages + - IoFreeMdl + - MmMapLockedPages + - MmBuildMdlForNonPagedPool + - MmCreateMdl + - ZwReadFile + - ZwQueryInformationFile + - IoCreateFile + - _wcsicmp + - _wcsnicmp + - RtlEqualUnicodeString + - ZwWriteFile + - ZwFlushKey + - ZwSetValueKey + - ZwQueryValueKey + - RtlRandom + - KeQuerySystemTime + - ZwDeleteKey + - ZwOpenKey + - ZwEnumerateKey + - IoFreeIrp + - KeSetEvent + - KeWaitForSingleObject + - KeGetCurrentThread + - KeInitializeEvent + - IoAllocateIrp + - IoGetRelatedDeviceObject + - ObReferenceObjectByHandle + - IoFileObjectType + - ObQueryNameString + - RtlCopyUnicodeString + - MmIsAddressValid + - PsGetProcessPeb + - RtlCreateUnicodeString + - ZwDeleteValueKey + - ZwCreateKey + - RtlFreeUnicodeString + - ZwDeleteFile + - PsRemoveLoadImageNotifyRoutine + - CmUnRegisterCallback + - PsSetLoadImageNotifyRoutine + - CmRegisterCallback + - ObReferenceObjectByName + - ZwFreeVirtualMemory + - ZwWaitForSingleObject + - KeUnstackDetachProcess + - KeStackAttachProcess + - ZwDuplicateObject + - PsGetProcessSessionId + - _strnicmp + - RtlSubAuthoritySid + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - ZwOpenProcessTokenEx + - PsTerminateSystemThread + - PsThreadType + - PsCreateSystemThread + - KeTickCount + - KeBugCheckEx + - _vsnprintf + - strncmp + - strchr + - strncpy + - strstr + - ExAllocatePool + - _stricmp + - rand + - ZwCreateFile + - IoBuildDeviceIoControlRequest + - MmProbeAndLockPages + - IoAllocateMdl + - _allshl + - RtlUnwind + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=, ??=, ??=Private Organization, serialNumber=91420100MA4KN92W72, + C=CN, ST=, L=, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia + Yiyong Technology Co., Ltd. + ValidFrom: '2020-11-17 00:00:00' + ValidTo: '2023-11-12 23:59:59' + Signature: 9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 012eab44fa8853d913e7107c89406432 + Version: 3 + TBS: + MD5: 5d40693a8cfc4fd21f0c610ed3ee8477 + SHA1: 4dffeb59ea4c32c7b87c9fe44d55f5e622444824 + SHA256: d7380ff1b3d400fdf8cf2d8ab18ac65a071ae51c83cce017fa236fb530c4af74 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 012eab44fa8853d913e7107c89406432 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: e1c6e942db6887e4c9e630b5bb75c313 + SHA1: e703cd9718363d923287424967d01ca57fc8a842 + SHA256: 8afa5d95d504001486a7641c204a06b483d2cf4f3b4ed072606cc05759996d9d + Sections: + .text: + Entropy: 6.560143155001299 + Virtual Size: '0xcf52' + .rdata: + Entropy: 7.956474654695534 + Virtual Size: '0xdc5e4' + .data: + Entropy: 2.3758735106170197 + Virtual Size: '0x2420' + INIT: + Entropy: 5.700732148931988 + Virtual Size: '0xa1a' + .rsrc: + Entropy: 3.337476767732356 + Virtual Size: '0x400' + .reloc: + Entropy: 3.4327474207821553 + Virtual Size: '0x144e' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-30 04:24:09' +- Filename: windbg.sys + MD5: 3f11a94f1ac5efdd19767c6976da9ba4 + SHA1: f92faed3ef92fa5bc88ebc1725221be5d7425528 + SHA256: 4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4 + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: I386 + OriginalFilename: windbg.sys + Authentihash: + MD5: 096f2e1d163a780fa3cb7f0870fe2b34 + SHA1: 0e4f45b762d5c548322cde3d0e2d5ff2d81c87f1 + SHA256: 948735962436df24baa69e58421345d4a295e0821f4f93fd9f64e11f51a9666f + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - IoDeleteDevice + - IoDetachDevice + - memcpy + - memset + - ZwClose + - ExFreePoolWithTag + - ExAllocatePoolWithTag + - ObOpenObjectByPointer + - PsProcessType + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlInitUnicodeString + - IofCallDriver + - PsGetCurrentProcessId + - IoGetLowerDeviceObject + - ObfDereferenceObject + - IoGetAttachedDeviceReference + - IoUnregisterShutdownNotification + - KeDelayExecutionThread + - IoAttachDeviceToDeviceStackSafe + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoRegisterShutdownNotification + - IoUnregisterFsRegistrationChange + - IoRegisterFsRegistrationChange + - _vsnwprintf + - PsGetVersion + - ZwAllocateVirtualMemory + - MmUnmapLockedPages + - IoFreeMdl + - MmMapLockedPages + - MmBuildMdlForNonPagedPool + - MmCreateMdl + - ZwReadFile + - ZwQueryInformationFile + - IoCreateFile + - _wcsicmp + - _wcsnicmp + - RtlEqualUnicodeString + - ZwWriteFile + - ZwFlushKey + - ZwSetValueKey + - ZwQueryValueKey + - RtlRandom + - KeQuerySystemTime + - ZwDeleteKey + - ZwOpenKey + - ZwEnumerateKey + - IoFreeIrp + - KeSetEvent + - KeWaitForSingleObject + - KeGetCurrentThread + - KeInitializeEvent + - IoAllocateIrp + - IoGetRelatedDeviceObject + - ObReferenceObjectByHandle + - IoFileObjectType + - ObQueryNameString + - RtlCopyUnicodeString + - MmIsAddressValid + - PsGetProcessPeb + - RtlCreateUnicodeString + - ZwDeleteValueKey + - ZwCreateKey + - RtlFreeUnicodeString + - ZwDeleteFile + - PsRemoveLoadImageNotifyRoutine + - CmUnRegisterCallback + - PsSetLoadImageNotifyRoutine + - CmRegisterCallback + - ObReferenceObjectByName + - ZwFreeVirtualMemory + - ZwWaitForSingleObject + - KeUnstackDetachProcess + - KeStackAttachProcess + - ZwDuplicateObject + - PsGetProcessSessionId + - _strnicmp + - RtlSubAuthoritySid + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - ZwOpenProcessTokenEx + - PsTerminateSystemThread + - PsThreadType + - PsCreateSystemThread + - KeTickCount + - KeBugCheckEx + - _vsnprintf + - strncmp + - strchr + - strncpy + - strstr + - ExAllocatePool + - _stricmp + - rand + - ZwCreateFile + - IoBuildDeviceIoControlRequest + - MmProbeAndLockPages + - IoAllocateMdl + - _allshl + - RtlUnwind + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=, ??=, ??=Private Organization, serialNumber=91420100MA4KN92W72, + C=CN, ST=, L=, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia + Yiyong Technology Co., Ltd. + ValidFrom: '2020-11-17 00:00:00' + ValidTo: '2023-11-12 23:59:59' + Signature: 9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 012eab44fa8853d913e7107c89406432 + Version: 3 + TBS: + MD5: 5d40693a8cfc4fd21f0c610ed3ee8477 + SHA1: 4dffeb59ea4c32c7b87c9fe44d55f5e622444824 + SHA256: d7380ff1b3d400fdf8cf2d8ab18ac65a071ae51c83cce017fa236fb530c4af74 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 012eab44fa8853d913e7107c89406432 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: e1c6e942db6887e4c9e630b5bb75c313 + SHA1: e703cd9718363d923287424967d01ca57fc8a842 + SHA256: 8afa5d95d504001486a7641c204a06b483d2cf4f3b4ed072606cc05759996d9d + Sections: + .text: + Entropy: 6.562572727180479 + Virtual Size: '0xcf52' + .rdata: + Entropy: 7.956615408068725 + Virtual Size: '0xdc824' + .data: + Entropy: 2.3758735106170197 + Virtual Size: '0x2420' + INIT: + Entropy: 5.700732148931988 + Virtual Size: '0xa1a' + .rsrc: + Entropy: 3.337476767732356 + Virtual Size: '0x400' + .reloc: + Entropy: 3.4303160245829205 + Virtual Size: '0x144e' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-27 22:28:14' +- Filename: windbg.sys + MD5: 0bdd51cc33e88b5265dfb7d88c5dc8d6 + SHA1: 6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5 + SHA256: ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620 + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: I386 + OriginalFilename: windbg.sys + Authentihash: + MD5: 207e5de5c589271ee469dd33442a0bb0 + SHA1: 34e83718226e039ebf28c4ea2284b011701710d0 + SHA256: aa833c9e3bcdc33eaf64fd913e80f5b9ce60618f6e3ff4c386420fea4a494380 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - IoDeleteDevice + - IoDetachDevice + - memcpy + - memset + - ZwClose + - ExFreePoolWithTag + - ExAllocatePoolWithTag + - ObOpenObjectByPointer + - PsProcessType + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlInitUnicodeString + - IofCallDriver + - PsGetCurrentProcessId + - IoGetLowerDeviceObject + - ObfDereferenceObject + - IoGetAttachedDeviceReference + - IoUnregisterShutdownNotification + - KeDelayExecutionThread + - IoAttachDeviceToDeviceStackSafe + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoRegisterShutdownNotification + - IoUnregisterFsRegistrationChange + - IoRegisterFsRegistrationChange + - _vsnwprintf + - PsGetVersion + - ZwAllocateVirtualMemory + - MmUnmapLockedPages + - IoFreeMdl + - MmMapLockedPages + - MmBuildMdlForNonPagedPool + - MmCreateMdl + - ZwReadFile + - ZwQueryInformationFile + - IoCreateFile + - _wcsicmp + - _wcsnicmp + - RtlEqualUnicodeString + - ZwWriteFile + - ZwFlushKey + - ZwSetValueKey + - ZwQueryValueKey + - RtlRandom + - KeQuerySystemTime + - ZwDeleteKey + - ZwOpenKey + - ZwEnumerateKey + - IoFreeIrp + - KeSetEvent + - KeWaitForSingleObject + - KeGetCurrentThread + - KeInitializeEvent + - IoAllocateIrp + - IoGetRelatedDeviceObject + - ObReferenceObjectByHandle + - IoFileObjectType + - ObQueryNameString + - RtlCopyUnicodeString + - MmIsAddressValid + - PsGetProcessPeb + - RtlCreateUnicodeString + - ZwDeleteValueKey + - ZwCreateKey + - RtlFreeUnicodeString + - ZwDeleteFile + - PsRemoveLoadImageNotifyRoutine + - CmUnRegisterCallback + - PsSetLoadImageNotifyRoutine + - CmRegisterCallback + - ObReferenceObjectByName + - ZwFreeVirtualMemory + - ZwWaitForSingleObject + - KeUnstackDetachProcess + - KeStackAttachProcess + - ZwDuplicateObject + - PsGetProcessSessionId + - _strnicmp + - RtlSubAuthoritySid + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - ZwOpenProcessTokenEx + - PsTerminateSystemThread + - PsThreadType + - PsCreateSystemThread + - KeTickCount + - KeBugCheckEx + - _vsnprintf + - strncmp + - strchr + - strncpy + - strstr + - ExAllocatePool + - _stricmp + - rand + - ZwCreateFile + - IoBuildDeviceIoControlRequest + - MmProbeAndLockPages + - IoAllocateMdl + - _allshl + - RtlUnwind + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=, ??=, ??=Private Organization, serialNumber=91420100MA4KN92W72, + C=CN, ST=, L=, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia + Yiyong Technology Co., Ltd. + ValidFrom: '2020-11-17 00:00:00' + ValidTo: '2023-11-12 23:59:59' + Signature: 9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 012eab44fa8853d913e7107c89406432 + Version: 3 + TBS: + MD5: 5d40693a8cfc4fd21f0c610ed3ee8477 + SHA1: 4dffeb59ea4c32c7b87c9fe44d55f5e622444824 + SHA256: d7380ff1b3d400fdf8cf2d8ab18ac65a071ae51c83cce017fa236fb530c4af74 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 012eab44fa8853d913e7107c89406432 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: e1c6e942db6887e4c9e630b5bb75c313 + SHA1: e703cd9718363d923287424967d01ca57fc8a842 + SHA256: 8afa5d95d504001486a7641c204a06b483d2cf4f3b4ed072606cc05759996d9d + Sections: + .text: + Entropy: 6.560075759576669 + Virtual Size: '0xcf52' + .rdata: + Entropy: 7.956474654695534 + Virtual Size: '0xdc5e4' + .data: + Entropy: 2.3758735106170197 + Virtual Size: '0x2420' + INIT: + Entropy: 5.700732148931988 + Virtual Size: '0xa1a' + .rsrc: + Entropy: 3.337476767732356 + Virtual Size: '0x400' + .reloc: + Entropy: 3.4327474207821553 + Virtual Size: '0x144e' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-30 04:24:09' +- Filename: windbg.sys + MD5: b6b530dd25c5eb66499968ec82e8791e + SHA1: 9c1c9032aa1e33461f35dbf79b6f2d061bfc6774 + SHA256: fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5 + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: I386 + OriginalFilename: windbg.sys + Authentihash: + MD5: dbc72430b48b0ca636a84b9e5ed0d534 + SHA1: 58ca196bfd54c6166aae0f8000fa8a1a66a0073e + SHA256: 45b969ae1b381716a29cd509622470b5b20b70c7efe4c9b7c0568faa298605ff + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - IoDeleteDevice + - IoDetachDevice + - memcpy + - memset + - ZwClose + - ExFreePoolWithTag + - ExAllocatePoolWithTag + - ObOpenObjectByPointer + - PsProcessType + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlInitUnicodeString + - IofCallDriver + - PsGetCurrentProcessId + - IoGetLowerDeviceObject + - ObfDereferenceObject + - IoGetAttachedDeviceReference + - IoUnregisterShutdownNotification + - KeDelayExecutionThread + - IoAttachDeviceToDeviceStackSafe + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoRegisterShutdownNotification + - IoUnregisterFsRegistrationChange + - IoRegisterFsRegistrationChange + - _vsnwprintf + - PsGetVersion + - ZwAllocateVirtualMemory + - MmUnmapLockedPages + - IoFreeMdl + - MmMapLockedPages + - MmBuildMdlForNonPagedPool + - MmCreateMdl + - ZwReadFile + - ZwQueryInformationFile + - IoCreateFile + - _wcsicmp + - _wcsnicmp + - RtlEqualUnicodeString + - ZwWriteFile + - ZwFlushKey + - ZwSetValueKey + - ZwQueryValueKey + - RtlRandom + - KeQuerySystemTime + - ZwDeleteKey + - ZwOpenKey + - ZwEnumerateKey + - IoFreeIrp + - KeSetEvent + - KeWaitForSingleObject + - KeGetCurrentThread + - KeInitializeEvent + - IoAllocateIrp + - IoGetRelatedDeviceObject + - ObReferenceObjectByHandle + - IoFileObjectType + - ObQueryNameString + - RtlCopyUnicodeString + - MmIsAddressValid + - PsGetProcessPeb + - RtlCreateUnicodeString + - ZwDeleteValueKey + - ZwCreateKey + - RtlFreeUnicodeString + - ZwDeleteFile + - PsRemoveLoadImageNotifyRoutine + - CmUnRegisterCallback + - PsSetLoadImageNotifyRoutine + - CmRegisterCallback + - ObReferenceObjectByName + - ZwFreeVirtualMemory + - ZwWaitForSingleObject + - KeUnstackDetachProcess + - KeStackAttachProcess + - ZwDuplicateObject + - PsGetProcessSessionId + - _strnicmp + - RtlSubAuthoritySid + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - ZwOpenProcessTokenEx + - PsTerminateSystemThread + - PsThreadType + - PsCreateSystemThread + - KeTickCount + - KeBugCheckEx + - _vsnprintf + - strncmp + - strchr + - strncpy + - strstr + - ExAllocatePool + - _stricmp + - rand + - ZwCreateFile + - IoBuildDeviceIoControlRequest + - MmProbeAndLockPages + - IoAllocateMdl + - _allshl + - RtlUnwind + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + ValidFrom: '2023-01-12 19:14:51' + ValidTo: '2023-12-15 19:14:51' + Signature: 04d1261b735b38b551b427cf9a295d4eb18edd92de14079aa33a10511ee6d262938b29ae208f96be64a80e2967fb8d7aa5750613901a9da6a82935398175482096430c9acecb55ee2c5468d119f467378c18251a8fe01e9d7b79bce903ccb7afb227e2d0abee00bd9fd6bbbbd67c014888dc46f3efa912d4576f7ca9980957609cd21fbd51815cb11bee95fa780498d905e866bc1a604e407ee0d97a105bcc8e600200b19b9c3a56cb3918047f21ba9ee2228b46b8e5c8b456ba65e6f0c40d28294b654761660e9d14948866c3f0f65f028e47641059d3f195812e871362128bcefb901d5aeace862e3d683b291d65c138138ea1335fe3552f4c46a7f7b0c6e5 + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 33000000f3158ea57d1c559f290000000000f3 + Version: 3 + TBS: + MD5: 8d4476692bcda36ed89244b94bd705f0 + SHA1: ce72176d5cad611366e13a9a997ad7ecc7eb815f + SHA256: dd1db9c0e7e50040ac6c586c1b6fd479cef240c064473373f75fbeb3e04ff972 + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2012 + ValidFrom: '2012-04-18 23:48:38' + ValidTo: '2027-04-18 23:58:38' + Signature: 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: 610baac1000000000009 + Version: 3 + TBS: + MD5: a569061297e8e824767dbc3184a69bea + SHA1: adbb26a587a8f44b4fccaecb306f980d1c55a150 + SHA256: cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 + Signer: + - SerialNumber: 33000000f3158ea57d1c559f290000000000f3 + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2012 + Version: 1 + RichPEHeaderHash: + MD5: e1c6e942db6887e4c9e630b5bb75c313 + SHA1: e703cd9718363d923287424967d01ca57fc8a842 + SHA256: 8afa5d95d504001486a7641c204a06b483d2cf4f3b4ed072606cc05759996d9d + Sections: + .text: + Entropy: 6.560245241511933 + Virtual Size: '0xcf52' + .rdata: + Entropy: 7.956474654695534 + Virtual Size: '0xdc5e4' + .data: + Entropy: 2.3758735106170197 + Virtual Size: '0x2420' + INIT: + Entropy: 5.700732148931988 + Virtual Size: '0xa1a' + .rsrc: + Entropy: 3.337476767732356 + Virtual Size: '0x400' + .reloc: + Entropy: 3.4327474207821553 + Virtual Size: '0x144e' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-30 04:24:09' +- Filename: windbg.sys + MD5: 77a7ed4798d02ef6636cd0fd07fc382a + SHA1: 76789196eebfd4203f477a5a6c75eefc12d9a837 + SHA256: f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280 + Signature: '' + Date: '' + Publisher: '' + Company: Microsoft Corporation + Description: Windows GUI symbolic debugger + Product: Microsoft? Windows? Operating System + ProductVersion: 10.0.19041.685 + FileVersion: 10.0.19041.685 (WinBuild.160101.0800) + MachineType: AMD64 + OriginalFilename: windbg.sys + Authentihash: + MD5: ff65997d5644ff042a7e3a5cb9030af2 + SHA1: a1c5483d4d29d0cd9edc6e42a21d70f56de12aaf + SHA256: 9be868eb7e177ee6d762f2a022acf18b6b190fecbe445b3c09fc0494e8244ee8 + InternalName: windbg.sys + Copyright: '? Microsoft Corporation. All rights reserved.' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - PsProcessType + - IoGetLowerDeviceObject + - ExFreePoolWithTag + - IoRegisterShutdownNotification + - IoAttachDeviceToDeviceStackSafe + - PsLookupProcessByProcessId + - RtlInitUnicodeString + - IoDeleteDevice + - MmGetSystemRoutineAddress + - IoDetachDevice + - KeDelayExecutionThread + - IoUnregisterShutdownNotification + - ZwClose + - IoGetAttachedDeviceReference + - PsGetCurrentProcessId + - ObfDereferenceObject + - IoCreateDevice + - IoEnumerateDeviceObjectList + - IoUnregisterFsRegistrationChange + - ObOpenObjectByPointer + - IoRegisterFsRegistrationChange + - IofCallDriver + - MmUnmapLockedPages + - _wcsicmp + - PsGetProcessPeb + - ZwCreateKey + - RtlCreateUnicodeString + - MmMapLockedPages + - PsSetLoadImageNotifyRoutine + - _wcsnicmp + - ZwReadFile + - IoGetRelatedDeviceObject + - KeSetEvent + - IoCreateFile + - KeInitializeEvent + - ZwDeleteValueKey + - ZwSetValueKey + - RtlEqualUnicodeString + - MmBuildMdlForNonPagedPool + - IoFreeMdl + - RtlFreeUnicodeString + - ObQueryNameString + - IoFileObjectType + - ZwQueryValueKey + - _vsnwprintf + - RtlRandom + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsRemoveLoadImageNotifyRoutine + - ZwFlushKey + - MmCreateMdl + - IoFreeIrp + - ZwDeleteFile + - PsGetVersion + - IoAllocateIrp + - CmRegisterCallback + - RtlCopyUnicodeString + - MmIsAddressValid + - CmUnRegisterCallback + - ZwQueryInformationFile + - ZwWriteFile + - ZwDeleteKey + - ZwEnumerateKey + - ZwAllocateVirtualMemory + - ZwOpenKey + - KeUnstackDetachProcess + - ZwWaitForSingleObject + - ZwFreeVirtualMemory + - PsGetProcessSessionId + - ZwDuplicateObject + - ObReferenceObjectByName + - KeStackAttachProcess + - RtlSubAuthoritySid + - _strnicmp + - ZwOpenProcessTokenEx + - PsCreateSystemThread + - PsTerminateSystemThread + - PsThreadType + - RtlSubAuthorityCountSid + - ZwQueryInformationToken + - KeBugCheckEx + - strncmp + - strstr + - strchr + - strncpy + - _vsnprintf + - rand + - _stricmp + - ExAllocatePool + - IoBuildDeviceIoControlRequest + - ZwCreateFile + - MmProbeAndLockPages + - IoAllocateMdl + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance + EV Root CA + ValidFrom: '2011-04-15 19:45:33' + ValidTo: '2021-04-15 19:55:33' + Signature: 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 61204db4000000000027 + Version: 3 + TBS: + MD5: 8e3ffc222fbcebdbb8b23115ab259be7 + SHA1: ee20bff28ffe13be731c294c90d6ded5aae0ec0e + SHA256: 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 + - Subject: ??=CN, ??=, ??=, ??=Private Organization, serialNumber=91420100MA4KN92W72, + C=CN, ST=, L=, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia + Yiyong Technology Co., Ltd. + ValidFrom: '2020-11-17 00:00:00' + ValidTo: '2023-11-12 23:59:59' + Signature: 9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 012eab44fa8853d913e7107c89406432 + Version: 3 + TBS: + MD5: 5d40693a8cfc4fd21f0c610ed3ee8477 + SHA1: 4dffeb59ea4c32c7b87c9fe44d55f5e622444824 + SHA256: d7380ff1b3d400fdf8cf2d8ab18ac65a071ae51c83cce017fa236fb530c4af74 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + ValidFrom: '2012-04-18 12:00:00' + ValidTo: '2027-04-18 12:00:00' + Signature: 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0dd0e3374ac95bdbfa6b434b2a48ec06 + Version: 3 + TBS: + MD5: f92649915476229b093c211c2b18e6c4 + SHA1: 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 + SHA256: 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb + Signer: + - SerialNumber: 012eab44fa8853d913e7107c89406432 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing + CA + Version: 1 + RichPEHeaderHash: + MD5: 0b8725117e665d5272218cb41038327d + SHA1: a6dde20a0c8ba6cfe531ce1a57035b8d7b3d900a + SHA256: b54213d1248761579f5f569ab7e32402dd88a12622377d381f7eb55d4f4eb053 + Sections: + .text: + Entropy: 6.316005052434714 + Virtual Size: '0xf332' + .rdata: + Entropy: 7.924187513971753 + Virtual Size: '0x1100cc' + .data: + Entropy: 1.4059711626373768 + Virtual Size: '0x2608' + .pdata: + Entropy: 4.843716813714921 + Virtual Size: '0x6d8' + INIT: + Entropy: 5.256170796244334 + Virtual Size: '0xb70' + .rsrc: + Entropy: 3.333432129597516 + Virtual Size: '0x400' + .reloc: + Entropy: 1.3463891478457575 + Virtual Size: '0x174' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-30 04:23:58' +Tags: +- windbg.sys diff --git a/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml b/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml index f68dbb714..53b2bc56b 100644 --- a/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml +++ b/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: de003542-80e1-4aa0-9b99-ed8647a93a6e KnownVulnerableSamples: - Authentihash: diff --git a/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml b/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml index 3600f8a13..a11a09a25 100644 --- a/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml +++ b/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: de365e80-45cb-48fb-af6e-0a96a5ad7777 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml b/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml index 0c0cdc0cc..7a1b6962c 100644 --- a/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml +++ b/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: de4dd27a-1f7e-4271-98a4-55395ab6aabf KnownVulnerableSamples: - Authentihash: diff --git a/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml b/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml index d73fb094b..61805f6b9 100644 --- a/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml +++ b/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: dfce8b0f-d857-4808-80ef-61273c7a4183 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/e368efc7-cf69-47ae-8204-f69dac000b22.yaml b/yaml/e368efc7-cf69-47ae-8204-f69dac000b22.yaml index 69ff8f232..68fa34790 100644 --- a/yaml/e368efc7-cf69-47ae-8204-f69dac000b22.yaml +++ b/yaml/e368efc7-cf69-47ae-8204-f69dac000b22.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: e368efc7-cf69-47ae-8204-f69dac000b22 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml b/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml index 81739bae9..053046f42 100644 --- a/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml +++ b/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: e4098d7e-78b3-4da1-96cb-68b27f245e02 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml b/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml index 0318cf76f..cbb7e2734 100644 --- a/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml +++ b/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: e42cd285-4dda-4086-a696-93ab1d6f17ca KnownVulnerableSamples: - Authentihash: diff --git a/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml b/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml index e547cd020..4c707b40b 100644 --- a/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml +++ b/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: e4609b54-cb25-4433-a75a-7a17f43cec00 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/e5f12b82-8d07-474e-9587-8c7b3714d60c.yml b/yaml/e5f12b82-8d07-474e-9587-8c7b3714d60c.yml index bff7f2ad9..934a9f416 100644 --- a/yaml/e5f12b82-8d07-474e-9587-8c7b3714d60c.yml +++ b/yaml/e5f12b82-8d07-474e-9587-8c7b3714d60c.yml @@ -22,7 +22,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: zam64.sys MD5: 2a3ce41bb2a7894d939fbd1b20dae5a0 diff --git a/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml b/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml index b79b49217..c5799116b 100644 --- a/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml +++ b/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: e7c958da-fd5d-40d6-975e-582c6fee7f69 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/eb07ef7e-0402-48eb-8e06-8fb76eda5b84.yml b/yaml/eb07ef7e-0402-48eb-8e06-8fb76eda5b84.yml index f658e94fb..b060bd9b4 100644 --- a/yaml/eb07ef7e-0402-48eb-8e06-8fb76eda5b84.yml +++ b/yaml/eb07ef7e-0402-48eb-8e06-8fb76eda5b84.yml @@ -27,6 +27,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: LHA.sys MD5: 1d768959aaa194d60e4524ce47708377 diff --git a/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml b/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml index 3c16ec522..132d66d24 100644 --- a/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml +++ b/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ecabc507-2cc7-4011-89ab-7d9d659e6f88 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml b/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml index 22892ac83..08ef8825b 100644 --- a/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml +++ b/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: edd29861-6984-4dbe-8e7c-22e9b6cf68d0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml b/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml index 95e355b6e..ffb371b77 100644 --- a/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml +++ b/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: eef1fcf4-8c54-420b-8d38-9c5f95129dcc KnownVulnerableSamples: - Authentihash: diff --git a/yaml/f22e7230-5f32-4c4e-bc9d-9076ebf10baa.yaml b/yaml/f22e7230-5f32-4c4e-bc9d-9076ebf10baa.yaml index ebb2b3273..3e84b8da4 100644 --- a/yaml/f22e7230-5f32-4c4e-bc9d-9076ebf10baa.yaml +++ b/yaml/f22e7230-5f32-4c4e-bc9d-9076ebf10baa.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: f22e7230-5f32-4c4e-bc9d-9076ebf10baa KnownVulnerableSamples: - Authentihash: diff --git a/yaml/f4126206-564f-49f5-a942-2138a3131e0e.yml b/yaml/f4126206-564f-49f5-a942-2138a3131e0e.yml index 34ab3905d..0c7e9970b 100644 --- a/yaml/f4126206-564f-49f5-a942-2138a3131e0e.yml +++ b/yaml/f4126206-564f-49f5-a942-2138a3131e0e.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: NICM.SYS MD5: 52b7cd123f6d1b9ed76b08f2ee7d9433 diff --git a/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml b/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml index 3a3f290a0..4887de46b 100644 --- a/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml +++ b/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: f4990bdd-8821-4a3c-a11a-4651e645810c KnownVulnerableSamples: - Authentihash: diff --git a/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml b/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml index ca5a30b3d..6626137df 100644 --- a/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml +++ b/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: f4c22f4d-eff8-40c5-8b31-146abe5f17b7 KnownVulnerableSamples: - Company: '' diff --git a/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml b/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml index 2952bd771..0ac9d2123 100644 --- a/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml +++ b/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: f654ad84-c61d-477c-a0b2-d153b927dfcc KnownVulnerableSamples: - Authentihash: diff --git a/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml b/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml index d29154e5a..dde004bdc 100644 --- a/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml +++ b/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: fab98aaa-e4e7-4c4a-af65-c00d35cf66e9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml b/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml index 3f4b5e37f..cd94e1e65 100644 --- a/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml +++ b/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: fbdd993b-47b1-4448-8c41-24c310802398 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml b/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml index d6274fee4..3072242d7 100644 --- a/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml +++ b/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: fdf4f85b-47f4-4c98-a0d5-a6583463f565 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml b/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml index c5f292d09..7c780e0a9 100644 --- a/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml +++ b/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: fe2f68e1-e459-4802-9a9a-23bb3c2fd331 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml b/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml index 45322d326..68016dcb5 100644 --- a/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml +++ b/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ff74f03e-e4ce-4242-bfe3-60601056bb34 KnownVulnerableSamples: - Authentihash: