31686f0e-3748-48c2-be09-fc8f3252e780

FairplayKD.sys

We were not able to verify the hash of this driver successfully, it has not been confirmed.

Description

FairplayKD.sys is a vulnerable driver and more information will be added as found.

  • UUID: 31686f0e-3748-48c2-be09-fc8f3252e780
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the vulnerable driver!

Commands

sc.exe create FairplayKD.sys binPath=C:\windows\temp\FairplayKD.sys type=kernel && sc.exe start FairplayKD.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
  • https://www.unknowncheats.me/forum/anti-cheat-bypass/244386-mta-fairplaykd-driver-reversed-exploited-rpm.html

    • Known Vulnerable Samples

    PropertyValue
    FilenameFairplayKD.sys
    Creation Timestamp2017-07-15 18:25:00
    MD54e90cd77509738d30d3181a4d0880bfa
    SHA1b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f
    SHA2569f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5
    Authentihash MD55fb82230ba512d33a6e3090985a29e49
    Authentihash SHA10eaa4cf7d1944f6259dd9941209dec15a4029c4a
    Authentihash SHA25666d59e646f3965bc5225eca4285ae65f34b8681fb1bee3eaf440f6795b2fa70f
    RichPEHeaderHash MD50cfd4733c24065eb45f253c4cb122750
    RichPEHeaderHash SHA1e32f8f9859bd361c03f962f2c0a07ca346464c7d
    RichPEHeaderHash SHA2560a8551c7118d23e193be05fd6d9427dcbecf1038bd5c2b7c991bc444a6c2a184
    CompanyMulti Theft Auto
    DescriptionMulti Theft Auto patch driver
    ProductMTA San Andreas

    Download

    Certificates

    Expand
    Certificate 7e93ebfb7cc64e59ea4b9a77d406fc3b
    FieldValue
    ToBeSigned (TBS) MD5d0785ad36e427c92b19f6826ab1e8020
    ToBeSigned (TBS) SHA1365b7a9c21bd9373e49052c3e7b3e4646ddd4d43
    ToBeSigned (TBS) SHA256c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2
    ValidFrom2012-12-21 00:00:00
    ValidTo2020-12-30 23:59:59
    Signature03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber7e93ebfb7cc64e59ea4b9a77d406fc3b
    Version3
    Certificate 47974d7873a5bcab0d2fb370192fce5e
    FieldValue
    ToBeSigned (TBS) MD5e3a93dc2a8a8a668fdbb286bfe9afab5
    ToBeSigned (TBS) SHA195795d2aa2a554a423bc8c6e5b0a016d14887d35
    ToBeSigned (TBS) SHA256d8844186775bddbccaf3dc017064df7d760fd4b85c5d07561a3efd7da950f89e
    SubjectC=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47974d7873a5bcab0d2fb370192fce5e
    Version3
    Certificate 0ecff438c8febf356e04d86a981b1a50
    FieldValue
    ToBeSigned (TBS) MD5e9d38360b914c8863f6cba3ee58764d3
    ToBeSigned (TBS) SHA14cba8eae47b6bf76f20b3504b98b8f062694a89b
    ToBeSigned (TBS) SHA25688901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4
    ValidFrom2012-10-18 00:00:00
    ValidTo2020-12-29 23:59:59
    Signature783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0ecff438c8febf356e04d86a981b1a50
    Version3
    Certificate 371fc099cdb143347b4424e9dc1f3b30
    FieldValue
    ToBeSigned (TBS) MD5494b9765c3a2b4a874439b1afcdde928
    ToBeSigned (TBS) SHA1be00543b1d5c59f704618fb5e4de9d6bcc18a2fd
    ToBeSigned (TBS) SHA256d748797bfa645ea26b7761c3d4cde817f9c036debfa38f3a167963655eba8a10
    SubjectC=BE, ST=Antwerpen, L=Kasterlee, O=No Organization Affiliation, OU=Individual Developer, CN=Hans Roes
    ValidFrom2016-07-06 00:00:00
    ValidTo2018-07-06 23:59:59
    Signature8e7c473dcbc241b3f17748f8144534fd278052b0ce46a6f86849323c04ad1d558a109d51583480f1e9db3a010800c6d930db6f9daad6c80caec40fef353b9c5b6bd7a438c5d5c3c9736d44e98d2ae6eb4aa202aa1af72439d60cab335a5027d1b3203df74c811eaf51aa5bfad4517dee3fd410450fdc4b9c3a8a8f0861a2a39202d8981e2a9bf98b31304fbb05ca33baf0c8140084f26c545ef24b0f1d9572354f552379f7cedd37344f720baaff27b61dfafdfd541b35027402ed88852853d8925eb2b3418ff3f0e6169ed7571d6416ec3f6815b23774be20d80d811f094f82c5a7c909a74c7f187d63780a0738d7f86629adca71c05d31b27f6e217724174e
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber371fc099cdb143347b4424e9dc1f3b30
    Version3
    Certificate 611fb0a400000000001d
    FieldValue
    ToBeSigned (TBS) MD5a3f222107d4e1085e73b5b589c2f480b
    ToBeSigned (TBS) SHA1b94aa26cd77c48d91a53ac44506cbd255e1d362c
    ToBeSigned (TBS) SHA256a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa
    SubjectC=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA
    ValidFrom2011-02-22 19:31:57
    ValidTo2021-02-22 19:41:57
    Signature2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611fb0a400000000001d
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • PsProcessType
    • RtlAnsiStringToUnicodeString
    • KeUnstackDetachProcess
    • ObReferenceObjectByHandle
    • KeStackAttachProcess
    • RtlInitUnicodeString
    • PsThreadType
    • PsGetThreadProcessId
    • MmGetSystemRoutineAddress
    • _vsnwprintf
    • RtlCompareUnicodeString
    • RtlCompareMemory
    • RtlCopyUnicodeString
    • RtlGetVersion
    • MmUnmapLockedPages
    • ExAllocatePoolWithTag
    • ProbeForRead
    • ExRaiseStatus
    • ExFreePoolWithTag
    • ProbeForWrite
    • MmHighestUserAddress
    • MmMapLockedPagesSpecifyCache
    • IoGetCurrentProcess
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmIsAddressValid
    • ObfDereferenceObject
    • KeBugCheckEx
    • PsGetVersion
    • ExAllocatePoolWithQuotaTag
    • ZwQuerySystemInformation
    • __C_specific_handler

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "7e93ebfb7cc64e59ea4b9a77d406fc3b",
      "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2",
      "TBS": {
        "MD5": "d0785ad36e427c92b19f6826ab1e8020",
        "SHA1": "365b7a9c21bd9373e49052c3e7b3e4646ddd4d43",
        "SHA256": "c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff",
        "SHA384": "eab4fe5ef90e0de4a6aa3a27769a5e879f588df5e4785aa4104debd1f81e19ea56d33e3a16e5facf99f68b5d8e3d287b"
      },
      "ValidFrom": "2012-12-21 00:00:00",
      "ValidTo": "2020-12-30 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "47974d7873a5bcab0d2fb370192fce5e",
      "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2",
      "TBS": {
        "MD5": "e3a93dc2a8a8a668fdbb286bfe9afab5",
        "SHA1": "95795d2aa2a554a423bc8c6e5b0a016d14887d35",
        "SHA256": "d8844186775bddbccaf3dc017064df7d760fd4b85c5d07561a3efd7da950f89e",
        "SHA384": "78d972495720b43a6470b18ae1226bcca20707628087717a9364c14ca053ba264e6d149718b103542d9942200138a69d"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0ecff438c8febf356e04d86a981b1a50",
      "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4",
      "TBS": {
        "MD5": "e9d38360b914c8863f6cba3ee58764d3",
        "SHA1": "4cba8eae47b6bf76f20b3504b98b8f062694a89b",
        "SHA256": "88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976",
        "SHA384": "e9f2a75334a9e336c5a4712eadee88d0374b0fdc273262f4e65c9040ad2793067cc076696db5279a478773485e285652"
      },
      "ValidFrom": "2012-10-18 00:00:00",
      "ValidTo": "2020-12-29 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "371fc099cdb143347b4424e9dc1f3b30",
      "Signature": "8e7c473dcbc241b3f17748f8144534fd278052b0ce46a6f86849323c04ad1d558a109d51583480f1e9db3a010800c6d930db6f9daad6c80caec40fef353b9c5b6bd7a438c5d5c3c9736d44e98d2ae6eb4aa202aa1af72439d60cab335a5027d1b3203df74c811eaf51aa5bfad4517dee3fd410450fdc4b9c3a8a8f0861a2a39202d8981e2a9bf98b31304fbb05ca33baf0c8140084f26c545ef24b0f1d9572354f552379f7cedd37344f720baaff27b61dfafdfd541b35027402ed88852853d8925eb2b3418ff3f0e6169ed7571d6416ec3f6815b23774be20d80d811f094f82c5a7c909a74c7f187d63780a0738d7f86629adca71c05d31b27f6e217724174e",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, ST=Antwerpen, L=Kasterlee, O=No Organization Affiliation, OU=Individual Developer, CN=Hans Roes",
      "TBS": {
        "MD5": "494b9765c3a2b4a874439b1afcdde928",
        "SHA1": "be00543b1d5c59f704618fb5e4de9d6bcc18a2fd",
        "SHA256": "d748797bfa645ea26b7761c3d4cde817f9c036debfa38f3a167963655eba8a10",
        "SHA384": "f9655d60f4641898f82591f7568e41e5f7034c7395b22b05a684b2bc2bfbdcf75db2b955061196d5f86d41fd29f240f8"
      },
      "ValidFrom": "2016-07-06 00:00:00",
      "ValidTo": "2018-07-06 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "611fb0a400000000001d",
      "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA",
      "TBS": {
        "MD5": "a3f222107d4e1085e73b5b589c2f480b",
        "SHA1": "b94aa26cd77c48d91a53ac44506cbd255e1d362c",
        "SHA256": "a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa",
        "SHA384": "64b7643e4146016cbf83c911eb67e4601b6bb8d66f8ee8dcee67b815f91770d86ab23678b984430f22a963e5484881b7"
      },
      "ValidFrom": "2011-02-22 19:31:57",
      "ValidTo": "2021-02-22 19:41:57",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2",
      "SerialNumber": "371fc099cdb143347b4424e9dc1f3b30",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-09-26