7a0842ca-1a64-4ad1-9d66-25eb983d1742

directio32_legacy.sys :inline

Description

Confirmed vulnerable driver from Microsoft Block List

  • UUID: 7a0842ca-1a64-4ad1-9d66-25eb983d1742
  • Created: 2023-07-22
  • Author: Michael Haag
  • Acknowledgement: |

Download

Use CasePrivilegesOperating System
Elevate privilegeskernelWindows

Detections

YARA 🏹

Expand

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c

    • CVE

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2020-08-11 23:45:00
    MD52da707d2fa073d60c4b069ce76a789ef
    SHA175c924435e87f38f20e5e77b7f2c382b9c9b974b
    SHA256035b96ff8b85d312be0f9df6271714392a802ec8bab59ae8229812ddc67ced5a
    Authentihash MD5a25749ae40ff475524e5df6431998825
    Authentihash SHA159c8f056dea50a4b6f6f63e50037089965568910
    Authentihash SHA2562fb5d7e6db01c9090bba92abf580d38993e02ce9357e08fe1f224a9b18056e5a
    RichPEHeaderHash MD578c0e4d4898d4d4cc2c6df5285c1e11b
    RichPEHeaderHash SHA10c932c2f26d8d024936f27bc6ff33dc736587a6e
    RichPEHeaderHash SHA256cae87d0bcaa037bfb6c422692648e50bb26aad2909044f1cdb1d6cb706dd94d1

    Download

    Certificates

    Expand
    Certificate 61204db4000000000027
    FieldValue
    ToBeSigned (TBS) MD58e3ffc222fbcebdbb8b23115ab259be7
    ToBeSigned (TBS) SHA1ee20bff28ffe13be731c294c90d6ded5aae0ec0e
    ToBeSigned (TBS) SHA25659826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
    ValidFrom2011-04-15 19:45:33
    ValidTo2021-04-15 19:55:33
    Signature208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber61204db4000000000027
    Version3
    Certificate 0d671c2c3c13676231329afa97b1ec2b
    FieldValue
    ToBeSigned (TBS) MD5fd290a4891edd36420e082391a96d9b0
    ToBeSigned (TBS) SHA1fe33d6386cb017f4d39d5b1e21861bbc387aae7a
    ToBeSigned (TBS) SHA25657e2af9bbd6fed434ad5df9b194936fc6d3a1b71658bdd31c2d289f8a0f5c2e0
    Subject??=AU, ??=Private Organization, serialNumber=099 321 392, C=AU, ST=New South Wales, L=Surry Hills, O=PassMark Software Pty Ltd, CN=PassMark Software Pty Ltd
    ValidFrom2018-10-18 00:00:00
    ValidTo2021-02-28 12:00:00
    Signature5c01ed6a6f6c302d1b2ff3c17bae241ce2fcd501196d753b285ea9d44ba291565fc97503fa50ba4b0abba54066e1b04ac66018e8eb06c8104515df0b903f432e04c1d486336929a4d637fe7e06197a75ad7199bfae0a3a66ea6e55cf1ba9b68e33ef35f5b46cef71f5c8b6230d459c2e843a09b01ebe5020852ac9948357f09a66ad78bc60d795fce62fb63288f5550bc6446acbe7fdad31f8dd76045d7ed50bb79dc6ee9333ad8c12b64e2e544f922dfea0586b0d1cb80c37f96fc68b20f95b104f11ef5fe49349829afe35ceecfd22c96b5f89263701f95364d4f0816bcd0bee9e40aa1b956cd4659181e05d0872f4838b3208138b67d9c03faad605f1b924
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0d671c2c3c13676231329afa97b1ec2b
    Version3
    Certificate 03f1b4e15f3a82f1149678b3d7d8475c
    FieldValue
    ToBeSigned (TBS) MD583f5de89f641d0fbf60248e10a7b9534
    ToBeSigned (TBS) SHA1382a73a059a08698d6eb98c87e1b36fc750933a4
    ToBeSigned (TBS) SHA256eec58131dc11cd7f512501b15fdbc6074c603b68ca91f7162d5a042054edb0cf
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)
    ValidFrom2012-04-18 12:00:00
    ValidTo2027-04-18 12:00:00
    Signature19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber03f1b4e15f3a82f1149678b3d7d8475c
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • DbgPrintEx
    • RtlGetVersion
    • KeInitializeEvent
    • KeWaitForSingleObject
    • ExAllocatePoolWithTag
    • ExAllocatePoolWithQuotaTag
    • ExFreePoolWithTag
    • MmBuildMdlForNonPagedPool
    • MmMapLockedPagesSpecifyCache
    • MmUnmapLockedPages
    • MmMapIoSpace
    • MmUnmapIoSpace
    • IoAllocateErrorLogEntry
    • IoAllocateMdl
    • IoBuildDeviceIoControlRequest
    • IoBuildSynchronousFsdRequest
    • IofCallDriver
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoFreeMdl
    • IoGetAttachedDeviceReference
    • IoGetDeviceObjectPointer
    • IoWriteErrorLogEntry
    • IoGetDeviceProperty
    • ObReferenceObjectByHandle
    • ObReferenceObjectByPointer
    • RtlAppendUnicodeToString
    • ZwCreateFile
    • ZwWriteFile
    • ZwClose
    • ZwOpenSection
    • ZwMapViewOfSection
    • ZwUnmapViewOfSection
    • ZwOpenKey
    • ZwQueryValueKey
    • MmGetPhysicalMemoryRanges
    • PsGetProcessId
    • RtlFillMemoryUlong
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • IoEnumerateDeviceObjectList
    • ObQueryNameString
    • _vsnwprintf
    • ObReferenceObjectByName
    • memcpy
    • memmove
    • memset
    • IoFileObjectType
    • PsProcessType
    • PsInitialSystemProcess
    • NtBuildNumber
    • IoDriverObjectType
    • KeRevertToUserAffinityThread
    • KeSetSystemAffinityThread
    • KeQueryActiveProcessors
    • KeBugCheckEx
    • RtlAppendUnicodeStringToString
    • RtlUnwind
    • RtlWriteRegistryValue
    • MmGetSystemRoutineAddress
    • RtlQueryRegistryValues
    • RtlInitUnicodeString
    • RtlIntegerToUnicodeString
    • ObfDereferenceObject
    • wcsrchr
    • WRITE_PORT_USHORT
    • WRITE_PORT_UCHAR
    • READ_PORT_ULONG
    • READ_PORT_USHORT
    • READ_PORT_UCHAR
    • KeStallExecutionProcessor
    • WRITE_PORT_ULONG

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • PAGE
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "61204db4000000000027",
      "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA",
      "TBS": {
        "MD5": "8e3ffc222fbcebdbb8b23115ab259be7",
        "SHA1": "ee20bff28ffe13be731c294c90d6ded5aae0ec0e",
        "SHA256": "59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821",
        "SHA384": "f2dab7e56a33298654924501499487f6ba72c7d9477476a186e1ed7a9be031fade0e35ac09eff5e56bbbab95ae5374e7"
      },
      "ValidFrom": "2011-04-15 19:45:33",
      "ValidTo": "2021-04-15 19:55:33",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0d671c2c3c13676231329afa97b1ec2b",
      "Signature": "5c01ed6a6f6c302d1b2ff3c17bae241ce2fcd501196d753b285ea9d44ba291565fc97503fa50ba4b0abba54066e1b04ac66018e8eb06c8104515df0b903f432e04c1d486336929a4d637fe7e06197a75ad7199bfae0a3a66ea6e55cf1ba9b68e33ef35f5b46cef71f5c8b6230d459c2e843a09b01ebe5020852ac9948357f09a66ad78bc60d795fce62fb63288f5550bc6446acbe7fdad31f8dd76045d7ed50bb79dc6ee9333ad8c12b64e2e544f922dfea0586b0d1cb80c37f96fc68b20f95b104f11ef5fe49349829afe35ceecfd22c96b5f89263701f95364d4f0816bcd0bee9e40aa1b956cd4659181e05d0872f4838b3208138b67d9c03faad605f1b924",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "??=AU, ??=Private Organization, serialNumber=099 321 392, C=AU, ST=New South Wales, L=Surry Hills, O=PassMark Software Pty Ltd, CN=PassMark Software Pty Ltd",
      "TBS": {
        "MD5": "fd290a4891edd36420e082391a96d9b0",
        "SHA1": "fe33d6386cb017f4d39d5b1e21861bbc387aae7a",
        "SHA256": "57e2af9bbd6fed434ad5df9b194936fc6d3a1b71658bdd31c2d289f8a0f5c2e0",
        "SHA384": "feff93a9900bd0c3ac0d46892b5c06dc002eb55bc2daa6c4d62d20491c9f5141771c7563166751af02b2308059449e52"
      },
      "ValidFrom": "2018-10-18 00:00:00",
      "ValidTo": "2021-02-28 12:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "03f1b4e15f3a82f1149678b3d7d8475c",
      "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)",
      "TBS": {
        "MD5": "83f5de89f641d0fbf60248e10a7b9534",
        "SHA1": "382a73a059a08698d6eb98c87e1b36fc750933a4",
        "SHA256": "eec58131dc11cd7f512501b15fdbc6074c603b68ca91f7162d5a042054edb0cf",
        "SHA384": "4a25018683cabfb8ec2cad136334f37f33c89aa8540326322991d997c8adfb7faf06ab602ebd46630fe75fe3d2edc6b1"
      },
      "ValidFrom": "2012-04-18 12:00:00",
      "ValidTo": "2027-04-18 12:00:00",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)",
      "SerialNumber": "0d671c2c3c13676231329afa97b1ec2b",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09