Description
Windows Ancillary Function Driver (Afd.sys) for WinSock is vulnerable to an Elevation of Privilege Vulnerability.
- UUID: 394f49b2-2d78-4d0d-b374-1399695455f3
- Created: 2024-08-21
- Author: Nasreddine Bencherchali
- Acknowledgement: |
DownloadBlock
This download link contains the vulnerable driver!
Commands
sc.exe create Afd.sys binPath=C:\windows\temp\Afd.sys type=kernel && sc.exe start Afd.sys
| Use Case | Privileges | Operating System |
|---|
| Elevate privileges | kernel | Windows 10 |
Detections
Sigma 🛡️
Expand
Names
detects loading using name only
Hashes
detects loading using hashes only
Resources
https://securityintelligence.com/x-force/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21768CVE
CVE-2023-21768Known Vulnerable Samples
Download
Certificates
Expand
Certificate 330000038b7945c18b0eb687ec00000000038b
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | 3571fe0895d4e042d281b85ee58b8094 |
| ToBeSigned (TBS) SHA1 | 92770617b04ed48f52556dbbd37302ffee4405b5 |
| ToBeSigned (TBS) SHA256 | eb87b3c06bb677f315d42aae1a9b33c4e0bc04467f812af5224b9ae88ef8ca25 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows |
| ValidFrom | 2022-05-05 19:23:13 |
| ValidTo | 2023-05-04 19:23:13 |
| Signature | d9767f52fe0a5596caefe5ab5176340309d5b90d6f25bed7eadb6299aa0c493b6b6e6de70b34bb54c32174f7a90c63b50b063b4289debf28efcea6e292bee015a7a28ed76c0c70271c8229d968d42dca5081bc104a2afe79587897dfc10d5c39ce4826e0cdcc940228765eebf20e36706932db4fc99abb40daeb888c07e72428fc9563ef319802edfdb93fa4a7b92b6533f59bb82e7996af2f0c2975a150674652cb008867f5259fb37cffc549316ee2edd4ecf80e1cb26fd1233d0e9df4a54111dbd3806c16307465bede1fb0cfc12afaa53fec3acf934819d6faee9d9d8de2af1cc283a5d6dd43ebd913e93aefe7a4f931bee26f858817a7d154d45e6d378e |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 330000038b7945c18b0eb687ec00000000038b |
| Version | 3 |
Certificate 61077656000000000008
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | 30a3f0b64324ed7f465e7fc618cb69e7 |
| ToBeSigned (TBS) SHA1 | 002de3561519b662c5e3f5faba1b92c403fb7c41 |
| ToBeSigned (TBS) SHA256 | 4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011 |
| ValidFrom | 2011-10-19 18:41:42 |
| ValidTo | 2026-10-19 18:51:42 |
| Signature | 14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 61077656000000000008 |
| Version | 3 |
Imports
Expand
Imported Functions
Expand
- RtlEqualUnicodeString
- RtlPrefixUnicodeString
- RtlAppendUnicodeToString
- FsRtlAllocateExtraCreateParameterList
- FsRtlAllocateExtraCreateParameter
- FsRtlFreeExtraCreateParameterList
- FsRtlInsertExtraCreateParameter
- IoSetTopLevelIrp
- IoCreateFileEx
- ObOpenObjectByPointer
- ZwClose
- ObDereferenceSecurityDescriptor
- RtlCompareMemory
- ExEnterCriticalRegionAndAcquireResourceShared
- KeInitializeEvent
- KeWaitForSingleObject
- KeResetEvent
- PsChargeProcessPoolQuota
- PsReturnPoolQuota
- IoCreateFile
- IoFreeIrp
- KeGetCurrentProcessorNumberEx
- EtwWriteTransfer
- EtwActivityIdControl
- ExInitializeRundownProtection
- KfRaiseIrql
- KeReleaseInStackQueuedSpinLockFromDpcLevel
- KeLowerIrql
- KeGetCurrentIrql
- RtlCompareUnicodeString
- ExReleaseResourceLite
- ExAcquireResourceExclusiveLite
- ExAllocatePool3
- RtlCopyUnicodeString
- ExAllocatePoolWithTagPriority
- MmSizeOfMdl
- ExRaiseStatus
- IoInitializeIrp
- MmBuildMdlForNonPagedPool
- IoAllocateErrorLogEntry
- _vsnwprintf
- PsGetProcessId
- IoWriteErrorLogEntry
- PsGetProcessExitTime
- KeEnterCriticalRegion
- ExWaitForRundownProtectionRelease
- KeLeaveCriticalRegion
- IoSetIoCompletion
- ExDeleteResourceLite
- RtlInitString
- RtlEqualString
- IoGetFileObjectGenericMapping
- RtlMapGenericMask
- SeLockSubjectContext
- SeAccessCheck
- SeAppendPrivileges
- SeFreePrivileges
- SeUnlockSubjectContext
- SeAssignSecurity
- ObLogSecurityDescriptor
- KeSetEvent
- IoBuildDeviceIoControlRequest
- IoAllocateIrp
- ExEventObjectType
- ProbeForWrite
- ExGetPreviousMode
- ExRaiseAccessViolation
- ExInitializeResourceLite
- EtwSetInformation
- EtwRegister
- MmIsVerifierEnabled
- IoCreateDevice
- IoAllocateWorkItem
- ExInitializeNPagedLookasideList
- KeQueryMaximumProcessorCountEx
- ExDeleteNPagedLookasideList
- ExDeleteLookasideListEx
- IoFreeWorkItem
- IoDeleteDevice
- EtwUnregister
- ExUnregisterCallback
- IoOpenDriverRegistryKey
- ExSubscribeWnfStateChange
- ZwQueryValueKey
- RtlLengthSid
- SeExports
- RtlCreateAcl
- RtlAddAccessAllowedAce
- ObGetObjectSecurity
- RtlSetDaclSecurityDescriptor
- RtlLengthSecurityDescriptor
- SeSetSecurityDescriptorInfo
- ObReleaseObjectSecurity
- ZwNotifyChangeKey
- IoQueueWorkItem
- FsRtlFindExtraCreateParameter
- PsLookupProcessByProcessId
- ObCloseHandle
- SeCreateAccessState
- SeDeleteAccessState
- SeQuerySecurityDescriptorInfo
- KeReadStateEvent
- KeEnterGuardedRegion
- KeLeaveGuardedRegion
- KePulseEvent
- KeAcquireQueuedSpinLock
- KeReleaseQueuedSpinLock
- MmAdvanceMdl
- KeBugCheckEx
- ExpInterlockedFlushSList
- ExSystemTimeToLocalTime
- RtlTimeToTimeFields
- KeInitializeDpc
- KeInitializeTimer
- KeSetCoalescableTimer
- strrchr
- KeAcquireSpinLockAtDpcLevel
- KeReleaseSpinLockFromDpcLevel
- KeInitializeTimerEx
- KeFlushQueuedDpcs
- IoCompletionObjectType
- ExAcquireRundownProtection
- IoInitializeMiniCompletionPacket
- ExReleaseRundownProtection
- IoRemoveIoCompletion
- IoCancelMiniCompletionPacket
- IoSetIoCompletionEx3
- ExAcquireResourceSharedLite
- ZwUpdateWnfStateData
- PsRegisterSiloMonitor
- PsStartSiloMonitor
- PsUnregisterSiloMonitor
- ExRundownCompleted
- PsGetSiloIdentifier
- PsCreateSiloContext
- PsInsertPermanentSiloContext
- PsGetSiloMonitorContextSlot
- PsDereferenceSiloContext
- PsGetPermanentSiloContext
- PsAttachSiloToCurrentThread
- PsDetachSiloFromCurrentThread
- PsGetCurrentServerSilo
- PsGetCurrentProcess
- KeSetTimer
- KeCancelTimer
- IoQueryFileInformation
- IoGetRequestorProcess
- KeAttachProcess
- FsRtlMdlRead
- KeDetachProcess
- FsRtlMdlReadComplete
- IoCancelIrp
- ExAllocateFromNPagedLookasideList
- ExFreeToNPagedLookasideList
- FsRtlCopyRead
- MmLockPagableDataSection
- IoThreadToProcess
- MmSystemRangeStart
- ObFindHandleForObject
- KeTestSpinLock
- RtlIntegerToUnicode
- RtlAppendUnicodeStringToString
- ObReferenceSecurityDescriptor
- KeDelayExecutionThread
- IoReuseIrp
- IoWMIWriteEvent
- IoGetDeviceAttachmentBaseRef
- IoFreeErrorLogEntry
- ZwCreateEvent
- KeWaitForMultipleObjects
- ExReleaseResourceForThreadLite
- ObfDereferenceObjectWithTag
- ObfReferenceObjectWithTag
- PsReferenceImpersonationToken
- PsDereferenceImpersonationToken
- PsReferenceSiloContext
- PsGetProcessImageFileName
- IoSizeofWorkItem
- IoInitializeWorkItem
- IoSetIoCompletionEx
- MmGetSystemRoutineAddress
- IoWMIRegistrationControl
- MmLockPagableSectionByHandle
- MmUnlockPagableImageSection
- WmiTraceMessageVa
- IoGetTopLevelIrp
- ExReleaseResourceAndLeaveCriticalRegion
- ExRegisterCallback
- ExEnterCriticalRegionAndAcquireResourceExclusive
- ExCreateCallback
- RtlInitUnicodeString
- RtlCreateSecurityDescriptor
- MmIsThisAnNtAsSystem
- RtlGetVersion
- KeGetRecommendedSharedDataAlignment
- InitializeSListHead
- KeInitializeSpinLock
- ExpInterlockedPopEntrySList
- MmMapLockedPages
- MmMapLockedPagesSpecifyCache
- ExQueueWorkItem
- KeInsertQueueApc
- KeInitializeApc
- IoGetRelatedDeviceObject
- IoBuildPartialMdl
- IoFreeMdl
- MmUnlockPages
- ExpInterlockedPushEntrySList
- ExQueryDepthSList
- ObfReferenceObject
- MmProbeAndLockPages
- IoAllocateMdl
- ExRaiseDatatypeMisalignment
- MmUserProbeAddress
- IoReleaseCancelSpinLock
- KeAcquireInStackQueuedSpinLockAtDpcLevel
- IofCompleteRequest
- ObfDereferenceObject
- IofCallDriver
- IoAcquireCancelSpinLock
- KeAcquireSpinLockRaiseToDpc
- ExInitializeLookasideListEx
- ExAllocateFromLookasideListEx
- KeReleaseSpinLock
- ExFreeToLookasideListEx
- KeReleaseInStackQueuedSpinLock
- KeAcquireInStackQueuedSpinLock
- IoFileObjectType
- ObReferenceObjectByHandle
- PsGetCurrentProcessId
- ExFreePoolWithTag
- ExAllocatePool2
- PsRevertToSelf
- SeImpersonateClientEx
- SeCaptureSubjectContextEx
- SeReleaseSubjectContext
- SeDeleteClientSecurity
- SeCreateClientSecurityFromSubjectContext
- IoGetCurrentProcess
- EtwWrite
- IoIs32bitProcess
- __C_specific_handler
- PcwUnregister
- PcwAddInstance
- ExQueryWnfStateData
- PcwRegister
- TdiCopyMdlToBuffer
- TdiReturnChainedReceives
- TdiRegisterPnPHandlers
- TdiDeregisterPnPHandlers
- TdiMatchPdoWithChainedReceiveContext
- TdiCopyBufferToMdl
- NsiGetAllParameters
- NetioNrtIsTrackerDevice
- NetioNrtDispatch
- NetioSetTriageBlock
- NetioNrtStart
- NetioTimerWorkItemInitialize
- NetioTimerWorkItemStart
- NetioTimerWorkItemShutdown
- NetioNrtStop
- RtlCopyMdlToBuffer
- NetioInsertWorkQueue
- NetioShutdownWorkQueue
- NetioInitializeWorkQueue
- NmrProviderDetachClientComplete
- NmrWaitForProviderDeregisterComplete
- NmrDeregisterProvider
- NmrRegisterProvider
- NmrClientAttachProvider
- NmrClientDetachProviderComplete
- NmrWaitForClientDeregisterComplete
- NmrDeregisterClient
- NmrRegisterClient
- GetDefaultCompartmentId
- NsiFreeTable
- NsiAllocateAndGetTable
- NsiRegisterChangeNotificationEx
- NsiDeregisterChangeNotification
- NsiRegisterChangeNotification
- RtlCopyMdlToMdl
- RtlCleanupTimerWheelEntry
- RtlIndicateTimerWheelEntryTimerStart
- RtlInitializeTimerWheelEntry
- RtlCleanupTimerWheel
- RtlSuspendTimerWheel
- RtlInitializeTimerWheel
- RtlReturnTimerWheelEntry
- RtlGetNextExpiredTimerWheelEntry
- RtlUpdateCurrentTimerWheelTick
- RpcBindingFree
- RpcExceptionFilter
- RpcAsyncCompleteCall
- RpcBindingBind
- RpcBindingSetOption
- RpcAsyncInitializeHandle
- RpcBindingCreateW
- RpcAsyncCancelCall
- RpcBindingUnbind
- Ndr64AsyncClientCall
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- .idata
- PAGE
- PAGEWPP
- PAGESAN
- PAGEWTDI
- fothk
- PAGEDATA
- INIT
- GFIDS
- .rsrc
- .reloc
Signature
Expand
{
"Certificates": [
{
"IsCertificateAuthority": false,
"SerialNumber": "330000038b7945c18b0eb687ec00000000038b",
"Signature": "d9767f52fe0a5596caefe5ab5176340309d5b90d6f25bed7eadb6299aa0c493b6b6e6de70b34bb54c32174f7a90c63b50b063b4289debf28efcea6e292bee015a7a28ed76c0c70271c8229d968d42dca5081bc104a2afe79587897dfc10d5c39ce4826e0cdcc940228765eebf20e36706932db4fc99abb40daeb888c07e72428fc9563ef319802edfdb93fa4a7b92b6533f59bb82e7996af2f0c2975a150674652cb008867f5259fb37cffc549316ee2edd4ecf80e1cb26fd1233d0e9df4a54111dbd3806c16307465bede1fb0cfc12afaa53fec3acf934819d6faee9d9d8de2af1cc283a5d6dd43ebd913e93aefe7a4f931bee26f858817a7d154d45e6d378e",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows",
"TBS": {
"MD5": "3571fe0895d4e042d281b85ee58b8094",
"SHA1": "92770617b04ed48f52556dbbd37302ffee4405b5",
"SHA256": "eb87b3c06bb677f315d42aae1a9b33c4e0bc04467f812af5224b9ae88ef8ca25",
"SHA384": "c69afe0ab751676ab08b29d2dc26744375c2b0058dcba2020816571a59a0dd44bbcd50c829eb04bd9553482231c49991"
},
"ValidFrom": "2022-05-05 19:23:13",
"ValidTo": "2023-05-04 19:23:13",
"Version": 3
},
{
"IsCertificateAuthority": true,
"SerialNumber": "61077656000000000008",
"Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
"TBS": {
"MD5": "30a3f0b64324ed7f465e7fc618cb69e7",
"SHA1": "002de3561519b662c5e3f5faba1b92c403fb7c41",
"SHA256": "4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146",
"SHA384": "4f9a02c3eac5e83c38074d54c0bf270e03a1d668e0001c9812c509eb08a19075ee778a7630e65598e4608fc66e2d1c66"
},
"ValidFrom": "2011-10-19 18:41:42",
"ValidTo": "2026-10-19 18:51:42",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
"SerialNumber": "330000038b7945c18b0eb687ec00000000038b",
"Version": 1
}
],
"SignerInfo": ""
}
Download
Certificates
Expand
Certificate 330000038db0bfe1b0ca33b3d400000000038d
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | 74a1035aa6d38ec0a7a35a6d143cc612 |
| ToBeSigned (TBS) SHA1 | 62c5627f7d38759edce84eace5ae41fc7a54d6f8 |
| ToBeSigned (TBS) SHA256 | b6319137740477c564fb2beb1d50929a333f092aa362ce5129085a2c9d4bf489 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows |
| ValidFrom | 2022-05-05 19:23:15 |
| ValidTo | 2023-05-04 19:23:15 |
| Signature | 7aa4402e28e909a6f7ff198a87c8f546fd868da5adf65529e8ced9b8ff16f56d03704671b64454a21437cdc6b47d83ea130e55b30ed223fda526676f6034a0d649e924cdf96d3c26386378d2ab91da329e3ddecbfe21c7f32764df6409a7f82f67c90ab5d9d7c167376487b3579fc1d99201098d2124f91f6558fb03285a49159fcc6d6ff6f8bbbc51f5209689963bebbc504c08089fa7c13e3bbae4f3c77a3a083548f8c95a1504b66fd5cfa658f9353ca231fd085e94f9bdb9bf68e302cae1bb6d483f97b5d4a2d26486fcab72ebe5fd0b555066edd3d894531f836130e309ccf4e98d1b44950efb0812a2190d4b0df3c5bf7ee8123a1d57410cd797dc0ccf |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 330000038db0bfe1b0ca33b3d400000000038d |
| Version | 3 |
Certificate 61077656000000000008
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | 30a3f0b64324ed7f465e7fc618cb69e7 |
| ToBeSigned (TBS) SHA1 | 002de3561519b662c5e3f5faba1b92c403fb7c41 |
| ToBeSigned (TBS) SHA256 | 4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011 |
| ValidFrom | 2011-10-19 18:41:42 |
| ValidTo | 2026-10-19 18:51:42 |
| Signature | 14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 61077656000000000008 |
| Version | 3 |
Imports
Expand
Imported Functions
Expand
- RtlEqualUnicodeString
- RtlPrefixUnicodeString
- RtlAppendUnicodeToString
- FsRtlAllocateExtraCreateParameterList
- FsRtlAllocateExtraCreateParameter
- FsRtlFreeExtraCreateParameterList
- FsRtlInsertExtraCreateParameter
- IoSetTopLevelIrp
- IoCreateFileEx
- ObOpenObjectByPointer
- ZwClose
- ObDereferenceSecurityDescriptor
- RtlCompareMemory
- ExEnterCriticalRegionAndAcquireResourceShared
- KeInitializeEvent
- KeWaitForSingleObject
- KeResetEvent
- PsChargeProcessPoolQuota
- PsReturnPoolQuota
- IoCreateFile
- IoFreeIrp
- KeGetCurrentProcessorNumberEx
- EtwWriteTransfer
- EtwActivityIdControl
- ExInitializeRundownProtection
- KfRaiseIrql
- KeReleaseInStackQueuedSpinLockFromDpcLevel
- KeLowerIrql
- KeGetCurrentIrql
- RtlCompareUnicodeString
- ExReleaseResourceLite
- ExAcquireResourceExclusiveLite
- ExAllocatePool3
- RtlCopyUnicodeString
- ExAllocatePoolWithTagPriority
- MmSizeOfMdl
- ExRaiseStatus
- IoInitializeIrp
- MmBuildMdlForNonPagedPool
- IoAllocateErrorLogEntry
- _vsnwprintf
- PsGetProcessId
- IoWriteErrorLogEntry
- PsGetProcessExitTime
- KeEnterCriticalRegion
- ExWaitForRundownProtectionRelease
- KeLeaveCriticalRegion
- IoSetIoCompletion
- ExDeleteResourceLite
- RtlInitString
- RtlEqualString
- IoGetFileObjectGenericMapping
- RtlMapGenericMask
- SeLockSubjectContext
- SeAccessCheck
- SeAppendPrivileges
- SeFreePrivileges
- SeUnlockSubjectContext
- SeAssignSecurity
- ObLogSecurityDescriptor
- KeSetEvent
- IoBuildDeviceIoControlRequest
- IoAllocateIrp
- ExEventObjectType
- ProbeForWrite
- ExGetPreviousMode
- ExRaiseAccessViolation
- ExInitializeResourceLite
- EtwSetInformation
- EtwRegister
- MmIsVerifierEnabled
- IoCreateDevice
- IoAllocateWorkItem
- ExInitializeNPagedLookasideList
- KeQueryMaximumProcessorCountEx
- ExDeleteNPagedLookasideList
- ExDeleteLookasideListEx
- IoFreeWorkItem
- IoDeleteDevice
- EtwUnregister
- ExUnregisterCallback
- IoOpenDriverRegistryKey
- ExSubscribeWnfStateChange
- ZwQueryValueKey
- RtlLengthSid
- SeExports
- RtlCreateAcl
- RtlAddAccessAllowedAce
- ObGetObjectSecurity
- RtlSetDaclSecurityDescriptor
- RtlLengthSecurityDescriptor
- SeSetSecurityDescriptorInfo
- ObReleaseObjectSecurity
- ZwNotifyChangeKey
- IoQueueWorkItem
- FsRtlFindExtraCreateParameter
- PsLookupProcessByProcessId
- ObCloseHandle
- SeCreateAccessState
- SeDeleteAccessState
- SeQuerySecurityDescriptorInfo
- KeReadStateEvent
- KeEnterGuardedRegion
- KeLeaveGuardedRegion
- KePulseEvent
- KeAcquireQueuedSpinLock
- KeReleaseQueuedSpinLock
- MmAdvanceMdl
- KeBugCheckEx
- ExpInterlockedFlushSList
- ExSystemTimeToLocalTime
- RtlTimeToTimeFields
- KeInitializeDpc
- KeInitializeTimer
- KeSetCoalescableTimer
- strrchr
- KeAcquireSpinLockAtDpcLevel
- KeReleaseSpinLockFromDpcLevel
- KeInitializeTimerEx
- KeFlushQueuedDpcs
- IoCompletionObjectType
- ExAcquireRundownProtection
- IoInitializeMiniCompletionPacket
- ExReleaseRundownProtection
- IoRemoveIoCompletion
- IoCancelMiniCompletionPacket
- IoSetIoCompletionEx3
- ExAcquireResourceSharedLite
- ZwUpdateWnfStateData
- PsRegisterSiloMonitor
- PsStartSiloMonitor
- PsUnregisterSiloMonitor
- ExRundownCompleted
- PsGetSiloIdentifier
- PsCreateSiloContext
- PsInsertPermanentSiloContext
- PsGetSiloMonitorContextSlot
- PsDereferenceSiloContext
- PsGetPermanentSiloContext
- PsAttachSiloToCurrentThread
- PsDetachSiloFromCurrentThread
- PsGetCurrentServerSilo
- PsGetCurrentProcess
- KeSetTimer
- KeCancelTimer
- IoQueryFileInformation
- IoGetRequestorProcess
- KeAttachProcess
- FsRtlMdlRead
- KeDetachProcess
- FsRtlMdlReadComplete
- IoCancelIrp
- ExAllocateFromNPagedLookasideList
- ExFreeToNPagedLookasideList
- FsRtlCopyRead
- MmLockPagableDataSection
- IoThreadToProcess
- MmSystemRangeStart
- ObFindHandleForObject
- KeTestSpinLock
- RtlIntegerToUnicode
- RtlAppendUnicodeStringToString
- ObReferenceSecurityDescriptor
- KeDelayExecutionThread
- IoReuseIrp
- IoWMIWriteEvent
- IoGetDeviceAttachmentBaseRef
- IoFreeErrorLogEntry
- ZwCreateEvent
- KeWaitForMultipleObjects
- ExReleaseResourceForThreadLite
- ObfDereferenceObjectWithTag
- ObfReferenceObjectWithTag
- PsReferenceImpersonationToken
- PsDereferenceImpersonationToken
- PsReferenceSiloContext
- PsGetProcessImageFileName
- IoSizeofWorkItem
- IoInitializeWorkItem
- IoSetIoCompletionEx
- MmGetSystemRoutineAddress
- IoWMIRegistrationControl
- MmLockPagableSectionByHandle
- MmUnlockPagableImageSection
- WmiTraceMessageVa
- IoGetTopLevelIrp
- ExReleaseResourceAndLeaveCriticalRegion
- ExRegisterCallback
- ExEnterCriticalRegionAndAcquireResourceExclusive
- ExCreateCallback
- RtlInitUnicodeString
- RtlCreateSecurityDescriptor
- MmIsThisAnNtAsSystem
- RtlGetVersion
- KeGetRecommendedSharedDataAlignment
- InitializeSListHead
- KeInitializeSpinLock
- ExpInterlockedPopEntrySList
- MmMapLockedPages
- MmMapLockedPagesSpecifyCache
- ExQueueWorkItem
- KeInsertQueueApc
- KeInitializeApc
- IoGetRelatedDeviceObject
- IoBuildPartialMdl
- IoFreeMdl
- MmUnlockPages
- ExpInterlockedPushEntrySList
- ExQueryDepthSList
- ObfReferenceObject
- MmProbeAndLockPages
- IoAllocateMdl
- ExRaiseDatatypeMisalignment
- MmUserProbeAddress
- IoReleaseCancelSpinLock
- KeAcquireInStackQueuedSpinLockAtDpcLevel
- IofCompleteRequest
- ObfDereferenceObject
- IofCallDriver
- IoAcquireCancelSpinLock
- KeAcquireSpinLockRaiseToDpc
- ExInitializeLookasideListEx
- ExAllocateFromLookasideListEx
- KeReleaseSpinLock
- ExFreeToLookasideListEx
- KeReleaseInStackQueuedSpinLock
- KeAcquireInStackQueuedSpinLock
- IoFileObjectType
- ObReferenceObjectByHandle
- PsGetCurrentProcessId
- ExFreePoolWithTag
- ExAllocatePool2
- PsRevertToSelf
- SeImpersonateClientEx
- SeCaptureSubjectContextEx
- SeReleaseSubjectContext
- SeDeleteClientSecurity
- SeCreateClientSecurityFromSubjectContext
- IoGetCurrentProcess
- EtwWrite
- IoIs32bitProcess
- __C_specific_handler
- PcwUnregister
- PcwAddInstance
- ExQueryWnfStateData
- PcwRegister
- TdiCopyMdlToBuffer
- TdiReturnChainedReceives
- TdiRegisterPnPHandlers
- TdiDeregisterPnPHandlers
- TdiMatchPdoWithChainedReceiveContext
- TdiCopyBufferToMdl
- NsiGetAllParameters
- NetioNrtIsTrackerDevice
- NetioNrtDispatch
- NetioSetTriageBlock
- NetioNrtStart
- NetioTimerWorkItemInitialize
- NetioTimerWorkItemStart
- NetioTimerWorkItemShutdown
- NetioNrtStop
- RtlCopyMdlToBuffer
- NetioInsertWorkQueue
- NetioShutdownWorkQueue
- NetioInitializeWorkQueue
- NmrProviderDetachClientComplete
- NmrWaitForProviderDeregisterComplete
- NmrDeregisterProvider
- NmrRegisterProvider
- NmrClientAttachProvider
- NmrClientDetachProviderComplete
- NmrWaitForClientDeregisterComplete
- NmrDeregisterClient
- NmrRegisterClient
- GetDefaultCompartmentId
- NsiFreeTable
- NsiAllocateAndGetTable
- NsiRegisterChangeNotificationEx
- NsiDeregisterChangeNotification
- NsiRegisterChangeNotification
- RtlCopyMdlToMdl
- RtlCleanupTimerWheelEntry
- RtlIndicateTimerWheelEntryTimerStart
- RtlInitializeTimerWheelEntry
- RtlCleanupTimerWheel
- RtlSuspendTimerWheel
- RtlInitializeTimerWheel
- RtlReturnTimerWheelEntry
- RtlGetNextExpiredTimerWheelEntry
- RtlUpdateCurrentTimerWheelTick
- RpcBindingFree
- RpcExceptionFilter
- RpcAsyncCompleteCall
- RpcBindingBind
- RpcBindingSetOption
- RpcAsyncInitializeHandle
- RpcBindingCreateW
- RpcAsyncCancelCall
- RpcBindingUnbind
- Ndr64AsyncClientCall
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- .idata
- PAGE
- PAGEWPP
- PAGESAN
- PAGEWTDI
- fothk
- PAGEDATA
- INIT
- GFIDS
- .rsrc
- .reloc
Signature
Expand
{
"Certificates": [
{
"IsCertificateAuthority": false,
"SerialNumber": "330000038b7945c18b0eb687ec00000000038b",
"Signature": "d9767f52fe0a5596caefe5ab5176340309d5b90d6f25bed7eadb6299aa0c493b6b6e6de70b34bb54c32174f7a90c63b50b063b4289debf28efcea6e292bee015a7a28ed76c0c70271c8229d968d42dca5081bc104a2afe79587897dfc10d5c39ce4826e0cdcc940228765eebf20e36706932db4fc99abb40daeb888c07e72428fc9563ef319802edfdb93fa4a7b92b6533f59bb82e7996af2f0c2975a150674652cb008867f5259fb37cffc549316ee2edd4ecf80e1cb26fd1233d0e9df4a54111dbd3806c16307465bede1fb0cfc12afaa53fec3acf934819d6faee9d9d8de2af1cc283a5d6dd43ebd913e93aefe7a4f931bee26f858817a7d154d45e6d378e",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows",
"TBS": {
"MD5": "3571fe0895d4e042d281b85ee58b8094",
"SHA1": "92770617b04ed48f52556dbbd37302ffee4405b5",
"SHA256": "eb87b3c06bb677f315d42aae1a9b33c4e0bc04467f812af5224b9ae88ef8ca25",
"SHA384": "c69afe0ab751676ab08b29d2dc26744375c2b0058dcba2020816571a59a0dd44bbcd50c829eb04bd9553482231c49991"
},
"ValidFrom": "2022-05-05 19:23:13",
"ValidTo": "2023-05-04 19:23:13",
"Version": 3
},
{
"IsCertificateAuthority": true,
"SerialNumber": "61077656000000000008",
"Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
"TBS": {
"MD5": "30a3f0b64324ed7f465e7fc618cb69e7",
"SHA1": "002de3561519b662c5e3f5faba1b92c403fb7c41",
"SHA256": "4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146",
"SHA384": "4f9a02c3eac5e83c38074d54c0bf270e03a1d668e0001c9812c509eb08a19075ee778a7630e65598e4608fc66e2d1c66"
},
"ValidFrom": "2011-10-19 18:41:42",
"ValidTo": "2026-10-19 18:51:42",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
"SerialNumber": "330000038b7945c18b0eb687ec00000000038b",
"Version": 1
}
],
"SignerInfo": ""
}
source
last_updated: 2024-09-26
