2d7c96d3-2d6c-44cd-a8a1-5239f571a24a

HW.sys :inline

Description

HW.sys is a vulnerable driver and more information will be added as found.

  • UUID: 2d7c96d3-2d6c-44cd-a8a1-5239f571a24a
  • Created: 2023-05-06
  • Author: Nasreddine Bencherchali
  • Acknowledgement: |

DownloadBlock

This download link contains the vulnerable driver!

Commands

sc.exe create HW.sys binPath=C:\windows\temp\HW.sys type=kernel && sc.exe start HW.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • Internal Research

    • Known Vulnerable Samples

    PropertyValue
    FilenameHW.sys
    Creation Timestamp2015-06-24 17:52:05
    MD53cf7a55ec897cc938aebb8161cb8e74f
    SHA122fc833e07dd163315095d32ebcd3b3e377c33a4
    SHA256fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c
    Authentihash MD522db74f3f2e50ccdeb471c81e3a62532
    Authentihash SHA16e87cd3b027a07a810164d618e3f2fce61eb6ec4
    Authentihash SHA256734b74798a680d2e534c14a033858c4081c7879af1f48037d9d5483aa27a7e90
    RichPEHeaderHash MD53389ab434a886ca939bbb64de33ea971
    RichPEHeaderHash SHA138d029a7b63d45c7c386558117cda903c1b15102
    RichPEHeaderHash SHA256517ea8a886737da4ba8f7bcdc6041dc0da9073a76e514be5a73d10836ebcbbf0
    CompanyMarvin Test Solutions, Inc.
    DescriptionHW - Windows NT-8 (32/64 bit) kernel mode driver for PC ports/memory/PCI access
    ProductHW
    OriginalFilenameHW.sys

    Download

    Certificates

    Expand
    Certificate 0400000000012f4ee152d7
    FieldValue
    ToBeSigned (TBS) MD5e140543fe3256027cfa79fc3c19c1776
    ToBeSigned (TBS) SHA1c655f94eb1ecc93de319fc0c9a2dc6c5ec063728
    ToBeSigned (TBS) SHA2563ca71e85908ff67368e4dc00253f5691b9e6d50c966e7784143d75fb92aa3448
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2
    ValidFrom2011-04-13 10:00:00
    ValidTo2028-01-28 12:00:00
    Signature4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012f4ee152d7
    Version3
    Certificate 0400000000012f4ee1355c
    FieldValue
    ToBeSigned (TBS) MD5f6a9e8eb8784f3f694b4e353c08a0ff5
    ToBeSigned (TBS) SHA1589a7d4df869395601ba7538a65afae8c4616385
    ToBeSigned (TBS) SHA256cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2
    ValidFrom2011-04-13 10:00:00
    ValidTo2019-04-13 10:00:00
    Signature225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012f4ee1355c
    Version3
    Certificate 112106a081d33fd87ae5824cc16b52094e03
    FieldValue
    ToBeSigned (TBS) MD5a0ac4d48fe852f7b3ed4e623d59a825f
    ToBeSigned (TBS) SHA1d4db9846bc4d7db142eeb364286f6de7c102420c
    ToBeSigned (TBS) SHA25678d2e41a13eb4e9171bae2d2adb192cf39210b5231f77cda936bcfbe8c003bdf
    SubjectC=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2
    ValidFrom2015-02-03 00:00:00
    ValidTo2026-03-03 00:00:00
    Signature8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber112106a081d33fd87ae5824cc16b52094e03
    Version3
    Certificate 1121f0942b1e09a2573e8ab9ce0e3955b2de
    FieldValue
    ToBeSigned (TBS) MD55bdf35241e1bbd3dd8560aba2c4305f1
    ToBeSigned (TBS) SHA134e844721f998e3b40ee75329c4e5df87e52dc61
    ToBeSigned (TBS) SHA2569441743aa497acefe2535a284e44a4cd55a201965900add8c7d770b0af7a8845
    SubjectC=US, ST=CA, L=Irvine, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc., emailAddress=it@marvintest.com
    ValidFrom2015-06-17 17:46:36
    ValidTo2018-05-04 18:44:13
    Signatureab38f2c50cf023223b1fd78c4204cff8fbe1c71ca14bd3dc5d1f7833604526265abcc71a97faae04edf79563c97a75f4587852b1c8cb972771427710112f8fab1c1a01ca13d04301d551ff4c1728798bd5d8e9038ca079a7c1e5fe268f2c87b397bf2038bbee8dabb80be0f2158a468feca435ff9ed8611cf1a7cf0a6756d2defda9934a4c8a6f6dd1577070ca3e6d2ea155f01bae4e0cf05596226810c52e256bf6f7d0632a34bbe3926e083f5eb95bfa614ac331bee378d5a158222731b1edbf1bb3db3915376764e10cffca289cf0478bf9a8e0cf74a85a2a0147aa3ab1b6fb88b69de8c706dc91155126d3b7aaa0fd98b62357a7e30e7c34ef4809009f5d
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber1121f0942b1e09a2573e8ab9ce0e3955b2de
    Version3
    Certificate 6129152700000000002a
    FieldValue
    ToBeSigned (TBS) MD50bb058d116f02817737920f112d9fd3b
    ToBeSigned (TBS) SHA1fd116235171a4feafedee586b7a59185fb5fd7e6
    ToBeSigned (TBS) SHA256f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2011-04-15 19:55:08
    ValidTo2021-04-15 20:05:08
    Signature5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber6129152700000000002a
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • RtlInitUnicodeString
    • RtlAppendUnicodeStringToString
    • ZwClose
    • ZwOpenProcess
    • KeReleaseMutex
    • KeWaitForSingleObject
    • PsGetCurrentProcessId
    • KeInitializeDpc
    • MmGetSystemRoutineAddress
    • IoDeleteDevice
    • IoCreateSymbolicLink
    • KeInitializeMutex
    • IoCreateDevice
    • IoDeleteSymbolicLink
    • PsGetVersion
    • ZwUnmapViewOfSection
    • ZwMapViewOfSection
    • ObReferenceObjectByHandle
    • ZwOpenSection
    • ExFreePoolWithTag
    • MmMapLockedPages
    • MmBuildMdlForNonPagedPool
    • IoAllocateMdl
    • MmMapIoSpace
    • MmUnmapLockedPages
    • MmUnmapIoSpace
    • MmFreeContiguousMemory
    • MmGetPhysicalAddress
    • MmAllocateContiguousMemory
    • IofCallDriver
    • IoBuildSynchronousFsdRequest
    • IoGetDeviceProperty
    • KeInitializeEvent
    • ObfDereferenceObject
    • ExAllocatePoolWithTag
    • ObReferenceObjectByName
    • IoDriverObjectType
    • IofCompleteRequest
    • IoDisconnectInterrupt
    • KeReleaseInterruptSpinLock
    • KeAcquireInterruptSpinLock
    • ExEventObjectType
    • KeFlushQueuedDpcs
    • KeInsertQueueDpc
    • KeSetEvent
    • IoFreeMdl
    • ExAllocatePool
    • HalGetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • INIT
    • .rdata
    • .pdata
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "0400000000012f4ee152d7",
      "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2",
      "TBS": {
        "MD5": "e140543fe3256027cfa79fc3c19c1776",
        "SHA1": "c655f94eb1ecc93de319fc0c9a2dc6c5ec063728",
        "SHA256": "3ca71e85908ff67368e4dc00253f5691b9e6d50c966e7784143d75fb92aa3448",
        "SHA384": "d9d366f9328f2b55ee19a32cc5fd5148b81d764282fe5dc196c872ae249caa51d2c212ef39f33945dfe0cda81925e326"
      },
      "ValidFrom": "2011-04-13 10:00:00",
      "ValidTo": "2028-01-28 12:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "0400000000012f4ee1355c",
      "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "TBS": {
        "MD5": "f6a9e8eb8784f3f694b4e353c08a0ff5",
        "SHA1": "589a7d4df869395601ba7538a65afae8c4616385",
        "SHA256": "cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4",
        "SHA384": "dcec542f242317863d0b3d23947e17d6982e381003831777b07ed75b46fb18bd0392a89c9beb6862981cd05f3f2fb77b"
      },
      "ValidFrom": "2011-04-13 10:00:00",
      "ValidTo": "2019-04-13 10:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "112106a081d33fd87ae5824cc16b52094e03",
      "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2",
      "TBS": {
        "MD5": "a0ac4d48fe852f7b3ed4e623d59a825f",
        "SHA1": "d4db9846bc4d7db142eeb364286f6de7c102420c",
        "SHA256": "78d2e41a13eb4e9171bae2d2adb192cf39210b5231f77cda936bcfbe8c003bdf",
        "SHA384": "990ed96dca5979deeedc98a012279f04efb5559d7e7f5084a12f3802ee9439326557aecefd081cff739b78515b5d7f50"
      },
      "ValidFrom": "2015-02-03 00:00:00",
      "ValidTo": "2026-03-03 00:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "1121f0942b1e09a2573e8ab9ce0e3955b2de",
      "Signature": "ab38f2c50cf023223b1fd78c4204cff8fbe1c71ca14bd3dc5d1f7833604526265abcc71a97faae04edf79563c97a75f4587852b1c8cb972771427710112f8fab1c1a01ca13d04301d551ff4c1728798bd5d8e9038ca079a7c1e5fe268f2c87b397bf2038bbee8dabb80be0f2158a468feca435ff9ed8611cf1a7cf0a6756d2defda9934a4c8a6f6dd1577070ca3e6d2ea155f01bae4e0cf05596226810c52e256bf6f7d0632a34bbe3926e083f5eb95bfa614ac331bee378d5a158222731b1edbf1bb3db3915376764e10cffca289cf0478bf9a8e0cf74a85a2a0147aa3ab1b6fb88b69de8c706dc91155126d3b7aaa0fd98b62357a7e30e7c34ef4809009f5d",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, ST=CA, L=Irvine, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc., emailAddress=it@marvintest.com",
      "TBS": {
        "MD5": "5bdf35241e1bbd3dd8560aba2c4305f1",
        "SHA1": "34e844721f998e3b40ee75329c4e5df87e52dc61",
        "SHA256": "9441743aa497acefe2535a284e44a4cd55a201965900add8c7d770b0af7a8845",
        "SHA384": "83003cfcb03f6cff7f5ca49603bcd9db4b5ebf62dd48a892b7d78e98ecf42726f0e77e9318050b71f5d6c649f92938c8"
      },
      "ValidFrom": "2015-06-17 17:46:36",
      "ValidTo": "2018-05-04 18:44:13",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "6129152700000000002a",
      "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
      "TBS": {
        "MD5": "0bb058d116f02817737920f112d9fd3b",
        "SHA1": "fd116235171a4feafedee586b7a59185fb5fd7e6",
        "SHA256": "f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4",
        "SHA384": "c0df876be008c26ca407fe904e6f5e7ccded17f9c16830ce9f8022309c9e64c97f494810f152811ae43e223b82ad7cc6"
      },
      "ValidFrom": "2011-04-15 19:55:08",
      "ValidTo": "2021-04-15 20:05:08",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "SerialNumber": "1121f0942b1e09a2573e8ab9ce0e3955b2de",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-09-26