51808fa6-89a4-4f4d-aabc-0a7b0e99e34d

kdriver.sys :inline

Description

Confirmed vulnerable driver from Microsoft Block List

  • UUID: 51808fa6-89a4-4f4d-aabc-0a7b0e99e34d
  • Created: 2023-07-22
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

Use CasePrivilegesOperating System
Elevate privilegeskernelWindows

Detections

YARA 🏹

Expand

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c

    • CVE

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2020-08-16 21:38:03
    MD570053ab9df31eb2dcd6f5b001386a8d2
    SHA1b1266873fa36a2104fd5d7f498a9957bc3d9d450
    SHA256603ccc97a198b004f9fa56deed2295d1b2d42ef01f22d80a00cb28bcf1b85646
    Authentihash MD5ff295de93e6b6dcc3938d50901a7240d
    Authentihash SHA1484c72dd4fd91083b249f3ccc733a3c8335e583f
    Authentihash SHA2560c7809ac1fa074408518ddc0ac118912c9cd43ed9c89213bc4d59043016b040c
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6

    Download

    Imports

    Expand
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • NtQuerySystemInformation
    • RtlInitUnicodeString
    • ExAllocatePool
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • _wcsicmp
    • RtlInitString
    • RtlAnsiStringToUnicodeString
    • RtlFreeUnicodeString
    • IoGetDeviceObjectPointer
    • ZwClose
    • MmIsAddressValid
    • ZwOpenDirectoryObject
    • ZwQueryDirectoryObject
    • ObReferenceObjectByName
    • ZwQuerySystemInformation
    • __C_specific_handler
    • MmHighestUserAddress
    • IoDriverObjectType
    • KeQueryTimeIncrement
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsGetProcessWow64Process
    • PsGetProcessPeb
    • MmUnlockPages
    • MmGetSystemRoutineAddress
    • MmUnmapLockedPages
    • IoFreeMdl
    • ZwTerminateProcess
    • PsGetProcessImageFileName
    • ObOpenObjectByPointer
    • PsReferenceProcessFilePointer
    • IoQueryFileDosDeviceName
    • ZwQueryVirtualMemory
    • MmProbeAndLockPages
    • PsLookupProcessByProcessId
    • MmMapLockedPagesSpecifyCache
    • IoAllocateMdl
    • IoGetCurrentProcess
    • MmCopyVirtualMemory
    • KeClearEvent
    • KeSetEvent
    • KeWaitForSingleObject
    • MmMapLockedPages
    • ObReferenceObjectByHandle
    • PsSetCreateProcessNotifyRoutineEx
    • PsSetCreateThreadNotifyRoutine
    • PsRemoveCreateThreadNotifyRoutine
    • PsSetLoadImageNotifyRoutine
    • PsRemoveLoadImageNotifyRoutine
    • ExEventObjectType
    • ObRegisterCallbacks
    • ObUnRegisterCallbacks
    • ObGetFilterVersion
    • IoThreadToProcess
    • strcmp
    • PsProcessType
    • PsThreadType
    • RtlGetVersion
    • ObfReferenceObject
    • ObGetObjectType
    • ExEnumHandleTable
    • ExfUnblockPushLock
    • _snprintf
    • vsprintf_s
    • ZwCreateFile
    • ZwWriteFile
    • PsLookupThreadByThreadId
    • NtQueryInformationThread
    • PsGetThreadProcess
    • DbgPrint
    • KeDelayExecutionThread
    • KdDisableDebugger
    • KdChangeOption
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • KdDebuggerEnabled
    • PsGetVersion
    • KeInitializeEvent
    • RtlCopyUnicodeString
    • ObfDereferenceObject
    • ExReleaseFastMutex
    • ExAcquireFastMutex
    • MmBuildMdlForNonPagedPool
    • WdfVersionBindClass
    • WdfVersionBind
    • WdfVersionUnbind
    • WdfVersionUnbindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .upx0
    • .reloc
    • .rsrc

    Signature

    Expand

    source

    last_updated: 2024-09-26