0e8da43d-92e0-43f9-bc34-50a7d15b34bd

etdsupp.sys :inline

Description

etdsupp.sys is a vulnerable driver and more information will be added as found.

  • UUID: 0e8da43d-92e0-43f9-bc34-50a7d15b34bd
  • Created: 2023-05-11
  • Author: Nasreddine Bencherchali
  • Acknowledgement: Michael Alfaro | @_mmpte_software

Download

This download link contains the vulnerable driver!

Commands

sc.exe create etdsupp binPath=C:\windows\temp\etdsupp.sys type=kernel && sc.exe start etdsupp.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • Internal Research

    • Known Vulnerable Samples

    PropertyValue
    Filenameetdsupp.sys
    Creation Timestamp2022-11-07 16:38:44
    MD5a92bf3c219a5fa82087b6c31bdf36ff3
    SHA1a57eefa0c653b49bd60b6f46d7c441a78063b682
    SHA256f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145
    Authentihash MD5bcc13f939e945b7395681cc6299a45bb
    Authentihash SHA196faa975feb28588372a98a1e77d98af7fc90e41
    Authentihash SHA256c9532a354c24fd256c24534c554bca5a126414eb496dbd3223fe9486418df2ea
    RichPEHeaderHash MD5cf643234aa46307b74481a16f78c4e77
    RichPEHeaderHash SHA16a7972690baca2292ab606c7db9294fe7a7b5253
    RichPEHeaderHash SHA2560a6a33a5113114984b057df1e89d6ae9487b4c5928f0da3ea7382090e5617226
    CompanyHP Development Company
    DescriptionETDi Support Driver
    ProductHP ETDi Driver DLL
    OriginalFilenameetdsupp.sys

    Download

    Certificates

    Expand
    Certificate 08ad40b260d29c4c9f5ecda9bd93aed9
    FieldValue
    ToBeSigned (TBS) MD55d8003a64dfa5a4d88365da1566038cb
    ToBeSigned (TBS) SHA179465b56bc7ad55a37bdf633943da8bfc84db228
    ToBeSigned (TBS) SHA25684bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332
    SubjectC=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    ValidFrom2021-04-29 00:00:00
    ValidTo2036-04-28 23:59:59
    Signature3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber08ad40b260d29c4c9f5ecda9bd93aed9
    Version3
    Certificate 0ec67729a8c3327b1b23804ce24719bd
    FieldValue
    ToBeSigned (TBS) MD5afe1c63df3a72b3310fa8c7dffc96e31
    ToBeSigned (TBS) SHA1703cdd9e140b72b91be73f874f4c20992bb298e9
    ToBeSigned (TBS) SHA25692451a4efd049ec849f8a2439f467692ef93c6d2c7fb5fa44686f979ce4a9491
    Subject??=Private Organization, ??=US, ??=California, serialNumber=C2895304, C=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.
    ValidFrom2022-01-19 00:00:00
    ValidTo2024-01-19 23:59:59
    Signature9500d1da5fadfef36a40966dce1ca0cee421500966b33f49f4c10f8acfea86f00dffde1f543367816b85f0ff09bc7f4767f7ca4533ea1b94c8eb026cd04936cd558ae73815b87a5e7a5b25a8b8aa9fb309f20a455067b17f1648d46a46f1f714b6f7c3df658545a43513e08b23828fa4e2180bf7356ab845318358cb4655b3c2c5efbf3ef01ebf6a172a271d714da3b844a184412a57d7e36e52480f8d3ced0fb1fa5c42257b05904820138acaea141a50294d827b92ef804d25d7cb36426edb915c90e97b8461df38f47ecb905b29b40ecf54dea2b060276444740357f2e8557a5fe064a03426c9408652e88a9b253f7bd37334199ce81b866b73b897217dcf019c8c7e5be66905b528a9eda563bca9b4922ea972df2e68c06d3396ac1bb76e4551f750ebd66d1c68edb6ecffdd8f9f492b7630e4a0591867edccec6d5cb6d58c35b89a8aebdc12c210b38289ecf419f8e82c1a03e2c8761b984bafafa502db482659a1ff256eee72175bc1a3d5dd5afa71fedbd7a8f4ad1cf6e569e382775ed6828dedeea6bf8689ee18dbe380140949cdc4a827622f23841731bb062941226d030e3873a425b078fe4926ef1985d8aecfce1140848b565dc0b5b722bf11fe129f6caee67af3e1c797562224849cfecbeda2f6c801d727f93a53e8b01cf475c541f3f4e26cf4c34e7b28cdb059f46880d92c6aab7d15eca050c395e4035fa5
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0ec67729a8c3327b1b23804ce24719bd
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IofCompleteRequest
    • MmGetPhysicalAddress
    • __C_specific_handler
    • KeBugCheckEx
    • DbgPrint
    • IoDeleteSymbolicLink
    • RtlAppendUnicodeToString
    • HalGetBusDataByOffset
    • HalSetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "08ad40b260d29c4c9f5ecda9bd93aed9",
      "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
      "TBS": {
        "MD5": "5d8003a64dfa5a4d88365da1566038cb",
        "SHA1": "79465b56bc7ad55a37bdf633943da8bfc84db228",
        "SHA256": "84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332",
        "SHA384": "65b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64"
      },
      "ValidFrom": "2021-04-29 00:00:00",
      "ValidTo": "2036-04-28 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0ec67729a8c3327b1b23804ce24719bd",
      "Signature": "9500d1da5fadfef36a40966dce1ca0cee421500966b33f49f4c10f8acfea86f00dffde1f543367816b85f0ff09bc7f4767f7ca4533ea1b94c8eb026cd04936cd558ae73815b87a5e7a5b25a8b8aa9fb309f20a455067b17f1648d46a46f1f714b6f7c3df658545a43513e08b23828fa4e2180bf7356ab845318358cb4655b3c2c5efbf3ef01ebf6a172a271d714da3b844a184412a57d7e36e52480f8d3ced0fb1fa5c42257b05904820138acaea141a50294d827b92ef804d25d7cb36426edb915c90e97b8461df38f47ecb905b29b40ecf54dea2b060276444740357f2e8557a5fe064a03426c9408652e88a9b253f7bd37334199ce81b866b73b897217dcf019c8c7e5be66905b528a9eda563bca9b4922ea972df2e68c06d3396ac1bb76e4551f750ebd66d1c68edb6ecffdd8f9f492b7630e4a0591867edccec6d5cb6d58c35b89a8aebdc12c210b38289ecf419f8e82c1a03e2c8761b984bafafa502db482659a1ff256eee72175bc1a3d5dd5afa71fedbd7a8f4ad1cf6e569e382775ed6828dedeea6bf8689ee18dbe380140949cdc4a827622f23841731bb062941226d030e3873a425b078fe4926ef1985d8aecfce1140848b565dc0b5b722bf11fe129f6caee67af3e1c797562224849cfecbeda2f6c801d727f93a53e8b01cf475c541f3f4e26cf4c34e7b28cdb059f46880d92c6aab7d15eca050c395e4035fa5",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "??=Private Organization, ??=US, ??=California, serialNumber=C2895304, C=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.",
      "TBS": {
        "MD5": "afe1c63df3a72b3310fa8c7dffc96e31",
        "SHA1": "703cdd9e140b72b91be73f874f4c20992bb298e9",
        "SHA256": "92451a4efd049ec849f8a2439f467692ef93c6d2c7fb5fa44686f979ce4a9491",
        "SHA384": "47c4642eaa33c02889cabb1070764b99c10827dbd83cd3fe5bcc939a8480c0c58d0abf53f06513ade2c4701b55ebf738"
      },
      "ValidFrom": "2022-01-19 00:00:00",
      "ValidTo": "2024-01-19 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
      "SerialNumber": "0ec67729a8c3327b1b23804ce24719bd",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09