1c92e1bf-103b-4545-b242-e5a9858ec9c8

CSC.sys

Description

Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code in the csc.sys driver

UUID: 1c92e1bf-103b-4545-b242-e5a9858ec9c8
Created: 2024-08-21
Author: Nasreddine Bencherchali
Acknowledgement: |

This download link contains the vulnerable driver!

Commands

sc.exe create CSC.sys binPath=C:\windows\temp\CSC.sys type=kernel &amp;&amp; sc.exe start CSC.sys

Use Case	Privileges	Operating System
Elevate privileges	kernel	Windows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources

https://github.com/varwara/CVE-2024-26229/tree/main

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26229

https://github.com/zer0condition/ZeroHVCI

CVE

CVE-2024-26229

Known Vulnerable Samples

Property	Value
Filename	CSC.sys
Creation Timestamp	2042-03-24 12:13:22
MD5	e7a3db3fe70e8b0c4aaa1c5e9de8da5a
SHA1	6bf3a21428eb51ecb84e41e9c1e0ac9105fd3079
SHA256	828c54cfecb2a08863319544ac716aee3898dfe78a87d7757a0e92f1b1f1daf1
OriginalFilename	CSC.Sys

Download

Imports

Expand

Imported Functions

Expand

ZwDuplicateObject
ZwCreateFile
KeEnterCriticalRegion
ObfDereferenceObject
FsRtlCancellableWaitForSingleObject
RtlCopyUnicodeString
SeQueryInformationToken
ExAcquireResourceSharedLite
RtlPrefixUnicodeString
IoFileObjectType
ExAllocatePool2
ObReferenceObjectByHandle
ExReleaseResourceLite
SeReleaseSubjectContext
KeReleaseGuardedMutex
ExFreePoolWithTag
KeInitializeEvent
KeAcquireGuardedMutex
ExEventObjectType
ZwClose
KeLeaveCriticalRegion
SeCaptureSubjectContext
RtlSetOwnerSecurityDescriptor
KeBugCheckEx
KeInitializeGuardedMutex
SeAccessCheck
ExDeleteResourceLite
RtlSetDaclSecurityDescriptor
ExDeleteNPagedLookasideList
ExInitializePagedLookasideList
RtlInitUnicodeString
RtlLengthSid
RtlAddAccessAllowedAce
ExDeletePagedLookasideList
ExFreePool
IoRegisterShutdownNotification
ExInitializeNPagedLookasideList
MmGetSystemRoutineAddress
ExAllocatePoolWithTag
ZwQueryValueKey
RtlCreateAcl
IoWMIRegistrationControl
IofCompleteRequest
RtlSetGroupSecurityDescriptor
RtlCreateSecurityDescriptor
DbgPrint
SeExports
ExInitializeResourceLite
ZwOpenKey
SeTokenIsAdmin
ExAllocateFromPagedLookasideList
ExAcquireResourceExclusiveLite
ExIsResourceAcquiredExclusiveLite
ExFreeToPagedLookasideList
KeWaitForSingleObject
RtlCompareUnicodeString
KeReadStateEvent
IoCancelIrp
RtlUpcaseUnicodeChar
KeSetEvent
IoGetTopLevelIrp
IofCallDriver
KeGetCurrentIrql
MmBuildMdlForNonPagedPool
IoAllocateMdl
IoFreeMdl
KeAreAllApcsDisabled
__C_specific_handler
ExIsResourceAcquiredSharedLite
FsRtlDoesNameContainWildCards
MmMapLockedPagesSpecifyCache
FsRtlNotifyInitializeSync
IoFreeIrp
FsRtlNotifyCleanupAll
FsRtlNotifyCleanup
FsRtlNotifyUninitializeSync
IoAllocateIrp
FsRtlNotifyFilterChangeDirectory
IoAcquireCancelSpinLock
FsRtlNotifyFullReportChange
IoReleaseCancelSpinLock
RtlInitializeGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlInsertElementGenericTableAvl
RtlEnumerateGenericTableAvl
RtlIsGenericTableEmptyAvl
ZwQueryLicenseValue
ExRegisterCallback
ExCreateCallback
ZwCreateKey
RtlUnicodeStringToInteger
ZwDeleteValueKey
RtlIntegerToUnicodeString
ZwSetValueKey
ExUnregisterCallback
RtlAppendUnicodeStringToString
ExFreeToNPagedLookasideList
ExWaitForRundownProtectionRelease
ExReInitializeRundownProtection
ExInitializeRundownProtection
ExAcquireRundownProtection
ExAllocateFromNPagedLookasideList
KeResetEvent
ExReleaseRundownProtection
FsRtlFreeExtraCreateParameterList
FsRtlInsertExtraCreateParameter
FsRtlFindExtraCreateParameter
FsRtlAllocateExtraCreateParameter
FsRtlAllocateExtraCreateParameterList
FsRtlFreeExtraCreateParameter
IoSetIrpExtraCreateParameter
FsRtlRemoveExtraCreateParameter
IoGetIrpExtraCreateParameter
RtlFreeUnicodeString
RtlEqualSid
RtlDuplicateUnicodeString
KeSetTimer
IoAllocateWorkItem
ZwUpdateWnfStateData
KeInitializeDpc
ZwNotifyChangeKey
KeInitializeTimer
KeCancelTimer
IoFreeWorkItem
IoQueueWorkItem
MmUnmapLockedPages
ZwFreeVirtualMemory
KeRundownQueue
ZwAllocateVirtualMemory
KeReleaseSpinLock
MmSystemRangeStart
KeInitializeSpinLock
KeInitializeQueue
KeRemoveQueue
KeInsertQueue
KeAcquireSpinLockRaiseToDpc
ExGetPreviousMode
__chkstk
RtlValidSid
RtlValidRelativeSecurityDescriptor
IoGetRequestorProcessId
IoGetRequestorProcess
ProbeForWrite
ProbeForRead
MmUserProbeAddress
IoIs32bitProcess
CcSetDirtyPinnedData
CcUnpinData
CcPinRead
ExUuidCreate
RtlStringFromGUID
KeDelayExecutionThread
RtlTestBit
RtlInitializeBitMap
RtlSetBit
SeTokenType
SePrivilegeCheck
RtlAbsoluteToSelfRelativeSD
RtlLengthRequiredSid
RtlSubAuthoritySid
RtlInitializeSid
KeSetKernelStackSwapEnable
KeExpandKernelStackAndCalloutEx
ZwQueryInformationFile
SeDeleteClientSecurity
ZwQueryEaFile
IoCreateFile
ZwSetInformationFile
ZwFlushBuffersFile
IoSetCompletionRoutineEx
IoAllocateIrpEx
ZwQueryDirectoryFile
IoGetCurrentProcess
PsIsThreadImpersonating
SeCreateClientSecurity
IoSetTopLevelIrp
IoSetIoPriorityHint
IoRetrievePriorityInfo
ZwSetEaFile
ZwQueryVolumeInformationFile
MmProbeAndLockPages
IoGetStackLimits
SeImpersonateClientEx
MmUnlockPages
PsRevertToSelf
IoGetRelatedDeviceObject
_vsnwprintf
PsCreateSystemThread
KeWaitForMultipleObjects
ZwWaitForSingleObject
RtlEqualString
RtlAssert
RtlValidateUnicodeString
RtlEqualUnicodeString
ExReleaseFastMutexUnsafe
ExAcquireFastMutex
KeAreApcsDisabled
ExReleaseFastMutex
ZwDeleteKey
ExAcquireFastMutexUnsafe
RxRecreateVNetRoot
RxAttachIrpToRxContext
RxDetachIrpFromRxContext
RxUnOrphanCredential
RxOrphanCredential
RxIsCompatibleSecurityContext
RxReferenceCredential
RxFinalizeConnection
RxDeleteLinkedVNetRoot
RxCreateLinkedVNetRoot
RxCompleteRequestEx
RxDowngradeFcbToSharedInMRx
RxRemoveDollarDataSuffix
RxLastComponentUnicodeString
RxLowIoCompletion
RxLowIoGetBufferAddress
RxQueryDeepestLViewInPath
RxFindRegisteredMiniRedir
RxIsUserCredentialPresent
RxIsCredentialOrphaned
RxDereferenceCredential
RxGetShareRights
RxFindEa
RxPrefixTableLookupNameEx
RxNotifyBufferingManagerOfCompletedOpen
RxDeregisterSrvOpenWithBufferingManager
RxInitializeLowIoContext
RxUpdateNetRootCachingMode
RxCreateNetFobx
RxFlushFcbInSystemCache
RxCloseAndFreeMRxStateOnFcb
RxSubjectContextFromRxContext
RxFinishFcbInitialization
RxIsFcbPagingInMRxAcquiredShared
RxIsFcbPagingInMRxAcquiredExclusive
RxSidFromRxContext
RxUpdateOplockStateOnCreate
RxLockEnumerator
RxIterateOnFcbOpens
RxSetBasicInfoInFcb
RxSetFcbDispatchTable
RxNotifyBufferingManagerOfPendingOpen
RxOrphanFobx
RxSetFcbNameTargetType
RxFsdDispatch
RxGetRDBSSProcess
RxPostToWorkerThread
RxUnregisterMinirdr
RxRegisterMinirdr
RxRegisterLogicalMinirdr
RxScavengeRelatedFobxs
RxDoesRedirSupportLogicalViews
RxPrefixTableLookupNextObject
RxIterateOnVNetRoots
RxInitNetInfoFromFcb
RxpTrackDereference
RxPrefixTableUnwindLastEnum
RxDereferenceAndDeleteRxContext_Real
RxPrefixTableLookupFirstObject
RxDoesOplockStateChangeOnSrvOpenClose
RxUnmarkOrphanableFobx
RxReleaseFcbPagingInMRx
RxDereference
RxAcquireLogicalViewRundownInMRx
RxFindFirstPhysicalRdrVNetRootFromNetRoot
RxAcquirePowerContextLock
RxGetDeviceObjectOfInstance
RxReleaseLViewRundownInMRx
RxPurgeFcbInSystemCache
RxFcbTableNameFromFcb
RxAcquireExclusiveFcbPagingInMRx
RxSetMinirdrCancelRoutine
RxClearMinirdrCancelRoutine
RxUpdateFcbPowerState
RxClearLogicalRdrVNetRootCredential
RxReleasePowerContextLock
RxPrefixTableEndLookup
RxCloseAndFreeMRxStateOnLogicalView
RxCreateRxContext
RxScavengeRelatedClosePendingFobxs
RxIterateOnLViewFcbsInMRx
RxpTrackReference
RxQueryNetRootCachingMode
RxAcquireSharedFcbResourceInMRx
RxAcquireExclusiveFcbResourceInMRx
RxReleaseFcbResourceInMRx
RxReference
MupSurrogateGetFileName
MupSurrogateRegisterProvider
MupSurrogateSetUndecoratedFileName
MupSurrogateRestartIo
MupSurrogateGetUncProviderDeviceObject
MupSurrogateDeregisterProvider

Exported Functions

Expand

Sections

Expand

.text
.rdata
.data
.pdata
.idata
PAGE
fothk
INIT
GFIDS
.rsrc
.reloc

Signature

Expand

source

last_updated: 2024-09-26