500e07cb-77c6-4e83-ae3f-73f70f1c10b5

tfbfs3ped.sys :inline

Description

Confirmed vulnerable driver from Microsoft Block List

  • UUID: 500e07cb-77c6-4e83-ae3f-73f70f1c10b5
  • Created: 2023-07-22
  • Author: Michael Haag
  • Acknowledgement: |

Download

Use CasePrivilegesOperating System
Elevate privilegeskernelWindows

Detections

YARA 🏹

Expand

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c

    • CVE

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2005-05-25 00:39:12
    MD559a48daa7dbdcb13bd0a11c71e1ad2f7
    SHA16c447a42e73d6feff09812abaf67af566d83eb3a
    SHA2560897935ff2e0e7cc23a036ec0791d587b4799a299c8d6d65f364a8bdff645760
    Authentihash MD5a17d227444e090ff69e24fcb6d43162b
    Authentihash SHA143d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120
    Authentihash SHA256b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020
    RichPEHeaderHash MD5deb9c1e252f598099d70d2b33a313da3
    RichPEHeaderHash SHA1f0c2801e0091ed6f5e10ea7045e911aa90030290
    RichPEHeaderHash SHA256914fb9761d50c3fa2ecf9fbd8af3735f9b8d6c4903e067c8af9546e79b6f22c7

    Download

    Certificates

    Expand
    Certificate 3825d7faf861af9ef490e726b5d65ad5
    FieldValue
    ToBeSigned (TBS) MD5d6c7684e9aaa508cf268335f83afe040
    ToBeSigned (TBS) SHA118066d20ad92409c567cdfde745279ff71c75226
    ToBeSigned (TBS) SHA256a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff
    SubjectC=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2
    ValidFrom2007-06-15 00:00:00
    ValidTo2012-06-14 23:59:59
    Signature50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber3825d7faf861af9ef490e726b5d65ad5
    Version3
    Certificate 47bf1995df8d524643f7db6d480d31a4
    FieldValue
    ToBeSigned (TBS) MD5518d2ea8a21e879c942d504824ac211c
    ToBeSigned (TBS) SHA121ce87d827077e61abddf2beba69fde5432ea031
    ToBeSigned (TBS) SHA2561ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7
    SubjectC=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA
    ValidFrom2003-12-04 00:00:00
    ValidTo2013-12-03 23:59:59
    Signature4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47bf1995df8d524643f7db6d480d31a4
    Version3
    Certificate 04000000000108d9611cd6
    FieldValue
    ToBeSigned (TBS) MD5698f075151097d84c0b1f3e7bc3d6fca
    ToBeSigned (TBS) SHA1041750993d7c9e063f02dfe74699598640911aab
    ToBeSigned (TBS) SHA256a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8
    SubjectC=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA
    ValidFrom1999-01-28 12:00:00
    ValidTo2014-01-27 11:00:00
    Signaturea0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber04000000000108d9611cd6
    Version3
    Certificate 0100000000011c08b7f67e
    FieldValue
    ToBeSigned (TBS) MD54566c37f56f951a0ce5b4ae966c0ea9f
    ToBeSigned (TBS) SHA1a51cbf2834eb6f8535bc5e44913a9ec979379782
    ToBeSigned (TBS) SHA25688a8e9a799af515b9223e4cdf24d0ef1e72f12124be02786f026a3c26317b417
    SubjectC=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.
    ValidFrom2008-08-28 09:49:45
    ValidTo2011-08-28 09:49:45
    Signature572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0100000000011c08b7f67e
    Version3
    Certificate 04000000000117ab50b915
    FieldValue
    ToBeSigned (TBS) MD55686b287d716c4d2428b092c4ef30f9c
    ToBeSigned (TBS) SHA1306fb5fbeb3d531510bb4b663c4fd48adc121e14
    ToBeSigned (TBS) SHA25660846fc990e271a707cd2d53d0bb21834a04f7652214aa0c12597ff6649d352d
    SubjectC=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA
    ValidFrom2004-01-22 09:00:00
    ValidTo2014-01-27 10:00:00
    Signature3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber04000000000117ab50b915
    Version3
    Certificate 610b7f6b000000000019
    FieldValue
    ToBeSigned (TBS) MD54798d55be7663a75649cda4dedc686ef
    ToBeSigned (TBS) SHA10f1ab2937b245d9466ea6f9bf056a5942e3989cf
    ToBeSigned (TBS) SHA256ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2006-05-23 17:00:51
    ValidTo2016-05-23 17:10:51
    Signature13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610b7f6b000000000019
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • RtlInitUnicodeString
    • ZwClose
    • ZwMapViewOfSection
    • ObReferenceObjectByHandle
    • ZwOpenSection
    • IoDeleteSymbolicLink
    • IofCompleteRequest
    • MmIsAddressValid
    • ZwUnmapViewOfSection
    • IoCreateSymbolicLink
    • IoCreateDevice
    • __C_specific_handler
    • IoDeleteDevice
    • HalTranslateBusAddress

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "3825d7faf861af9ef490e726b5d65ad5",
      "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2",
      "TBS": {
        "MD5": "d6c7684e9aaa508cf268335f83afe040",
        "SHA1": "18066d20ad92409c567cdfde745279ff71c75226",
        "SHA256": "a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff",
        "SHA384": "35c249d6ad0261a6229b2a727067ac6ba32a5d24b30b9249051f748c7735fbe2ec2ef26a702c50df1790fbe32a65aee7"
      },
      "ValidFrom": "2007-06-15 00:00:00",
      "ValidTo": "2012-06-14 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "47bf1995df8d524643f7db6d480d31a4",
      "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA",
      "TBS": {
        "MD5": "518d2ea8a21e879c942d504824ac211c",
        "SHA1": "21ce87d827077e61abddf2beba69fde5432ea031",
        "SHA256": "1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7",
        "SHA384": "53e346bbde23779a5d116cc9d86fdd71c97b1f1b343439f8a11aa1d3c87af63864bb8488a5aeb2d0c26a6a1e0b15f03f"
      },
      "ValidFrom": "2003-12-04 00:00:00",
      "ValidTo": "2013-12-03 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "04000000000108d9611cd6",
      "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA",
      "TBS": {
        "MD5": "698f075151097d84c0b1f3e7bc3d6fca",
        "SHA1": "041750993d7c9e063f02dfe74699598640911aab",
        "SHA256": "a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8",
        "SHA384": "a50291d3b15caf28d96e972cefcb88455a58ce1c802920fdcc2f4feafb1553510fd9b464d25e81635f4ad37570225a67"
      },
      "ValidFrom": "1999-01-28 12:00:00",
      "ValidTo": "2014-01-27 11:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0100000000011c08b7f67e",
      "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=TW, O=Micro,Star Int\u0027l Co. Ltd., CN=Micro,Star Int\u0027l Co. Ltd.",
      "TBS": {
        "MD5": "4566c37f56f951a0ce5b4ae966c0ea9f",
        "SHA1": "a51cbf2834eb6f8535bc5e44913a9ec979379782",
        "SHA256": "88a8e9a799af515b9223e4cdf24d0ef1e72f12124be02786f026a3c26317b417",
        "SHA384": "d8d8769d5b6a0fe7c56fcde24c735475ee0e5d01c63dbf7690cdae5a3e251818bed42443d0c6424d39e81a19d6c83bdb"
      },
      "ValidFrom": "2008-08-28 09:49:45",
      "ValidTo": "2011-08-28 09:49:45",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "04000000000117ab50b915",
      "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA",
      "TBS": {
        "MD5": "5686b287d716c4d2428b092c4ef30f9c",
        "SHA1": "306fb5fbeb3d531510bb4b663c4fd48adc121e14",
        "SHA256": "60846fc990e271a707cd2d53d0bb21834a04f7652214aa0c12597ff6649d352d",
        "SHA384": "6b37b28ca97b32a31b0fa53b5e961ae0f2d1aae2c5bf46de132e57834ee3968d9af7ad204821f9389cc4e0b5a8481fe8"
      },
      "ValidFrom": "2004-01-22 09:00:00",
      "ValidTo": "2014-01-27 10:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "610b7f6b000000000019",
      "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
      "TBS": {
        "MD5": "4798d55be7663a75649cda4dedc686ef",
        "SHA1": "0f1ab2937b245d9466ea6f9bf056a5942e3989cf",
        "SHA256": "ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1",
        "SHA384": "6e7450a139856aeda6fa6284ff89b3752a9b646e096b4d33dd7e8e727742a2111481531581c0aa2cda0338e22cfdbad3"
      },
      "ValidFrom": "2006-05-23 17:00:51",
      "ValidTo": "2016-05-23 17:10:51",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA",
      "SerialNumber": "0100000000011c08b7f67e",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09