b3fd8560-79d3-40b7-b05f-c78044176c8c
xjokercontroller.sys 
Description
Confirmed vulnerable driver from Microsoft Block List
| Use Case | Privileges | Operating System |
|---|---|---|
| Elevate privileges | kernel | Windows |
Detections
YARA 🏹
Expand
Resources
CVE
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | |
| Creation Timestamp | 2020-04-19 21:19:37 |
| MD5 | 7b2918d0a19ca452d39ec59b7670e880 |
| SHA1 | 3edf489c11e25ff9b9b98c7708f3321c3d679603 |
| SHA256 | 19dba69b48b085d9487cc23a4135f3ef4849c181965bffc55baed9fa6c205429 |
| Authentihash MD5 | 788a1df0b3fd2dfa3fdfc24e441f9d2c |
| Authentihash SHA1 | 2a40c0a92107d9b3faa9aecdedf5016c1ea564f1 |
| Authentihash SHA256 | 25454028a4f56d3c58747811a86be43397a6290d1a053bc30d97b41bf3c58c6f |
| RichPEHeaderHash MD5 | ffdf660eb1ebf020a1d0a55a90712dfb |
| RichPEHeaderHash SHA1 | 3e905e3d061d0d59de61fcf39c994fcb0ec1bab3 |
| RichPEHeaderHash SHA256 | 2b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6 |
Certificates
Expand
Certificate 0e9b188ef9d02de7efdb50e20840185a
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 21a266bd49f2778b24d13d95641ea6ac |
| ToBeSigned (TBS) SHA1 | 21319f341fdf06bf6a104427afa8b7823b1ea7f3 |
| ToBeSigned (TBS) SHA256 | e933dc68ee65abd1f9b1aa6738eff60a6895d3d8cc4accf0c69069aa3decd757 |
| Subject | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4 |
| ValidFrom | 2022-08-01 00:00:00 |
| ValidTo | 2031-11-09 23:59:59 |
| Signature | 70a0bf435c55e7385fa0a3741b3db616d7f7bf5707bd9aaca1872cec855ea91abb22f8871a695422eda488776dbd1a14f4134a7a2f2db738eff4ff80b9f8a1f7f272de24bc5203c84ed02adefa2d56cff9f4f7ac307a9a8bb25ed4cfd143449b4321eb9672a148b499cb9d4fa7060313772744d4e77fe859a8f0bf2f0ba6e9f2343cecf703c787a8d24c401935466a6954b0b8a1568eeca4d53de8b1dcfd1cd8f4775a5c548c6fefa1503dfc760968849f6fcadb208d35601c0203cb20b0ac58a00e4063c59822c1b259f5556bcf27ab6c76ce6f232df47e716a236b22ff12b8542d277ed83ad9f0b68796fd5bd15cac18c34d9f73b701a99f57aa5e28e2b994 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.12 |
| IsCertificateAuthority | True |
| SerialNumber | 0e9b188ef9d02de7efdb50e20840185a |
| Version | 3 |
Certificate 00e3214c81339540a3804fca656f5aea7d
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | e92698d5c465b606f7b442425888a42f |
| ToBeSigned (TBS) SHA1 | 28ce18c759778e18724fba34c2ba4b2b8a13b06a |
| ToBeSigned (TBS) SHA256 | abca5c5b177f79be37017f735312dcbb10b7ffe405a0c0feb93f08b3506d9044 |
| Subject | C=DE, ST=Berlin, L=Berlin, postalCode=48273, ??=Rathas G45, OU=Ownership, O=Sex Shop L45, emailAddress=administration@parsec.net, CN=Sex Shop SRL |
| ValidFrom | 2022-06-03 00:00:01 |
| ValidTo | 2024-07-04 23:59:59 |
| Signature | 48c453934773519fb737a92159f039851b8140cc7ee24eb15465885099600c1d09644dfc7f15dc841a004b59f9e9b57f4ef33f7dceac01ff80f8a9fc9d51fe747addd7d08122fcf10812ebc1df26b7577365cd73d59956bf659c4a5c87477619a04c59987b47e768eb886ef45761fc6a0dc4e211b3da590ef0920c4b51445f7ab6cf95a8085174f4bdf17a5ce13e049f21892d6de70160f9be5efcbc9a8dc07ab20bb77b897157654e591da80e18c0cec859bf60b1570cc228762bdd394d1ef9f81db3bdb3c1cd07f63428db9fd7654f04f170435df6e27b744f41679bb8c45d321b5fb0bff8875ebf7ba083c73aed4513ec18190283007dadb3f3a1a8117a818cfc8b6d8028592ef283ecf90833a103f1533a6db0a4033967cbccb72dc07737d9bbc8b994e7e8f1b483c7bf10e9671e2b03445df506c2d406cca060f1edc949f4ff3e6e073fe6d4db1440d7d4abb9c8cd7c2ddff8a6e7c85b6c4269c05f76b88b0139120cf430d77dfb74a1d0032b6f17c487dd9c9bcb0fc05861e7c7e6e93b133f54577841dd9f35172fa6761fcb6e58cc716fe88dab5c337439c2359beb2fa5dc579e3ddfb8ab43ee7a4d11d65b48fe5ac51eb553712b19a2f66df90f6f8d88b84de58cc007df2440fa81b002abcd38f404c112fee3276296e7d65f4d47d6e37dab0ab10ca9a0432e72c249095673d4147cc093719230598b44ef3cf35114 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 00e3214c81339540a3804fca656f5aea7d |
| Version | 3 |
Certificate 073637b724547cd847acfd28662a5e5b
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | e4b8ad9932ff9205f580cf8fb2afbb86 |
| ToBeSigned (TBS) SHA1 | 5301f7044d78bf94dd2b6e4871083a17fdba1dcc |
| ToBeSigned (TBS) SHA256 | c3d01499a5d1d2f71e0f44e78fbfa4b8aadb43dd4f226401e0c1d7a6d53357fa |
| Subject | C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA |
| ValidFrom | 2022-03-23 00:00:00 |
| ValidTo | 2037-03-22 23:59:59 |
| Signature | 7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 073637b724547cd847acfd28662a5e5b |
| Version | 3 |
Certificate 0c4d69724b94fa3c2a4a3d2907803d5a
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 812cb8ca0c79b318780ec5128ad13c1d |
| ToBeSigned (TBS) SHA1 | 3f8047d078307123301e50a25e9afb0dc4b6843d |
| ToBeSigned (TBS) SHA256 | 0c0b121e6f807bc22d4e0f4945634c22eca7e4d5ca58a1526a40e918a35c1d79 |
| Subject | C=US, O=DigiCert, CN=DigiCert Timestamp 2022 , 2 |
| ValidFrom | 2022-09-21 00:00:00 |
| ValidTo | 2033-11-21 23:59:59 |
| Signature | 55aa2a1af346f378573730fc75e34fd68523f1fcf995399b25e6f7728a98c377d464fc15fb36c249512c7888635509463900fc69d4ca9b29fba33fc0c9009b131db09889dc78f2cd7c85cd539daf62e26166a3142a45874a98422b50fc1bb59e083009fae42dd7098979f909e688ce7d1bb86aa29bc1536009e8a3b89dd7ad1f1cb8ec9841f0f60e80fbe4ffdf9d10a7eb00ba5f4a8f1a3a52b4eabf0949153536599a0f54d2b21b7f7e5e09ad76548a746dcad205672b76ebff98b226953819884414e50a59a26be7223e4421d23f1cc09bed7c48b2d8920c914f3c6694af5d0253eb9ee29ee4d31f8601649c00c2e95a74750d3de17988bf1c0197c9192380d7365a5f9616b1630cc646403bce5d35d4593e439a18aec3c9cbc3fb9b135f6ab5c7e0f305c359df27622bde41c953b9ff341067f62632987bfe5c42948194829dac0a8bc64b154ad3989045603380e023def803a4f64547e5ceb8034247e841367177adfda2e897744e2eda1e1d8c5ac81e9ad5c2f0c622a84f9bbdd81c9a51c42f9af65fa72797ba962e8557c060e778567f6aefc2959a4b1102c8829cc91a057cba71b54e7a996cf4e89ed45a98c89fbf8dbb185c43f5d02ae8e262ee7804dbbdd1fb5b0aa8707ef0978478e308035d472c63a825389701d23f3adae5e5f6e69bdc7e2cccff174c4d00a2d8d6010eb88beee6e07255892c271961f677018c |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 0c4d69724b94fa3c2a4a3d2907803d5a |
| Version | 3 |
Imports
Expand
- ntoskrnl.exe
- WDFLDR.SYS
Imported Functions
Expand
- NtQuerySystemInformation
- RtlInitUnicodeString
- ExAllocatePool
- ExAllocatePoolWithTag
- ExFreePoolWithTag
- IofCompleteRequest
- IoCreateDevice
- IoCreateSymbolicLink
- IoDeleteDevice
- IoDeleteSymbolicLink
- _wcsicmp
- RtlInitString
- RtlAnsiStringToUnicodeString
- RtlFreeUnicodeString
- IoGetDeviceObjectPointer
- ZwClose
- MmIsAddressValid
- ZwOpenDirectoryObject
- ZwQueryDirectoryObject
- ObReferenceObjectByName
- ZwQuerySystemInformation
- __C_specific_handler
- MmHighestUserAddress
- IoDriverObjectType
- KeQueryTimeIncrement
- KeStackAttachProcess
- KeUnstackDetachProcess
- PsGetProcessWow64Process
- PsGetProcessPeb
- MmUnlockPages
- MmGetSystemRoutineAddress
- MmUnmapLockedPages
- IoFreeMdl
- ZwTerminateProcess
- PsGetProcessImageFileName
- ObOpenObjectByPointer
- PsReferenceProcessFilePointer
- IoQueryFileDosDeviceName
- ZwQueryVirtualMemory
- MmProbeAndLockPages
- PsLookupProcessByProcessId
- MmMapLockedPagesSpecifyCache
- IoAllocateMdl
- IoGetCurrentProcess
- MmCopyVirtualMemory
- KeClearEvent
- KeSetEvent
- KeWaitForSingleObject
- MmMapLockedPages
- ObReferenceObjectByHandle
- PsSetCreateProcessNotifyRoutineEx
- PsSetCreateThreadNotifyRoutine
- PsRemoveCreateThreadNotifyRoutine
- PsSetLoadImageNotifyRoutine
- PsRemoveLoadImageNotifyRoutine
- ExEventObjectType
- ObRegisterCallbacks
- ObUnRegisterCallbacks
- ObGetFilterVersion
- IoThreadToProcess
- strcmp
- PsProcessType
- PsThreadType
- RtlGetVersion
- ObfReferenceObject
- ObGetObjectType
- ExEnumHandleTable
- ExfUnblockPushLock
- _snprintf
- vsprintf_s
- ZwCreateFile
- ZwWriteFile
- PsLookupThreadByThreadId
- NtQueryInformationThread
- DbgPrint
- KeDelayExecutionThread
- KdDisableDebugger
- KdChangeOption
- PsCreateSystemThread
- PsTerminateSystemThread
- KdDebuggerEnabled
- PsGetVersion
- KeInitializeEvent
- RtlCopyUnicodeString
- ObfDereferenceObject
- ExReleaseFastMutex
- ExAcquireFastMutex
- MmBuildMdlForNonPagedPool
- WdfVersionBindClass
- WdfVersionBind
- WdfVersionUnbind
- WdfVersionUnbindClass
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- PAGE
- INIT
- .upx0
- .reloc
- .rsrc
Signature
Expand
{
"Certificates": [
{
"IsCertificateAuthority": true,
"SerialNumber": "0e9b188ef9d02de7efdb50e20840185a",
"Signature": "70a0bf435c55e7385fa0a3741b3db616d7f7bf5707bd9aaca1872cec855ea91abb22f8871a695422eda488776dbd1a14f4134a7a2f2db738eff4ff80b9f8a1f7f272de24bc5203c84ed02adefa2d56cff9f4f7ac307a9a8bb25ed4cfd143449b4321eb9672a148b499cb9d4fa7060313772744d4e77fe859a8f0bf2f0ba6e9f2343cecf703c787a8d24c401935466a6954b0b8a1568eeca4d53de8b1dcfd1cd8f4775a5c548c6fefa1503dfc760968849f6fcadb208d35601c0203cb20b0ac58a00e4063c59822c1b259f5556bcf27ab6c76ce6f232df47e716a236b22ff12b8542d277ed83ad9f0b68796fd5bd15cac18c34d9f73b701a99f57aa5e28e2b994",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
"Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4",
"TBS": {
"MD5": "21a266bd49f2778b24d13d95641ea6ac",
"SHA1": "21319f341fdf06bf6a104427afa8b7823b1ea7f3",
"SHA256": "e933dc68ee65abd1f9b1aa6738eff60a6895d3d8cc4accf0c69069aa3decd757",
"SHA384": "11533efd6b326a4e065a936de300fe0586a479f93d569d2403bd62c7ad35f1b2199daee3adb510f429c4fc97b4b024e3"
},
"ValidFrom": "2022-08-01 00:00:00",
"ValidTo": "2031-11-09 23:59:59",
"Version": 3
},
{
"IsCertificateAuthority": true,
"SerialNumber": "00e3214c81339540a3804fca656f5aea7d",
"Signature": "48c453934773519fb737a92159f039851b8140cc7ee24eb15465885099600c1d09644dfc7f15dc841a004b59f9e9b57f4ef33f7dceac01ff80f8a9fc9d51fe747addd7d08122fcf10812ebc1df26b7577365cd73d59956bf659c4a5c87477619a04c59987b47e768eb886ef45761fc6a0dc4e211b3da590ef0920c4b51445f7ab6cf95a8085174f4bdf17a5ce13e049f21892d6de70160f9be5efcbc9a8dc07ab20bb77b897157654e591da80e18c0cec859bf60b1570cc228762bdd394d1ef9f81db3bdb3c1cd07f63428db9fd7654f04f170435df6e27b744f41679bb8c45d321b5fb0bff8875ebf7ba083c73aed4513ec18190283007dadb3f3a1a8117a818cfc8b6d8028592ef283ecf90833a103f1533a6db0a4033967cbccb72dc07737d9bbc8b994e7e8f1b483c7bf10e9671e2b03445df506c2d406cca060f1edc949f4ff3e6e073fe6d4db1440d7d4abb9c8cd7c2ddff8a6e7c85b6c4269c05f76b88b0139120cf430d77dfb74a1d0032b6f17c487dd9c9bcb0fc05861e7c7e6e93b133f54577841dd9f35172fa6761fcb6e58cc716fe88dab5c337439c2359beb2fa5dc579e3ddfb8ab43ee7a4d11d65b48fe5ac51eb553712b19a2f66df90f6f8d88b84de58cc007df2440fa81b002abcd38f404c112fee3276296e7d65f4d47d6e37dab0ab10ca9a0432e72c249095673d4147cc093719230598b44ef3cf35114",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=DE, ST=Berlin, L=Berlin, postalCode=48273, ??=Rathas G45, OU=Ownership, O=Sex Shop L45, emailAddress=administration@parsec.net, CN=Sex Shop SRL",
"TBS": {
"MD5": "e92698d5c465b606f7b442425888a42f",
"SHA1": "28ce18c759778e18724fba34c2ba4b2b8a13b06a",
"SHA256": "abca5c5b177f79be37017f735312dcbb10b7ffe405a0c0feb93f08b3506d9044",
"SHA384": "568df6a08f7ab38d19b4cb314c74f6e9622524651b2dc82224f993a0790e0454887a9215281beb548672a80f8c856b5b"
},
"ValidFrom": "2022-06-03 00:00:01",
"ValidTo": "2024-07-04 23:59:59",
"Version": 3
},
{
"IsCertificateAuthority": true,
"SerialNumber": "073637b724547cd847acfd28662a5e5b",
"Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
"TBS": {
"MD5": "e4b8ad9932ff9205f580cf8fb2afbb86",
"SHA1": "5301f7044d78bf94dd2b6e4871083a17fdba1dcc",
"SHA256": "c3d01499a5d1d2f71e0f44e78fbfa4b8aadb43dd4f226401e0c1d7a6d53357fa",
"SHA384": "84b5f399da5a4f4387269adfd951ef7d2197c29552ed2d2e449060664c3825d6bdb2acc3e563d999e54652f7384f445e"
},
"ValidFrom": "2022-03-23 00:00:00",
"ValidTo": "2037-03-22 23:59:59",
"Version": 3
},
{
"IsCertificateAuthority": false,
"SerialNumber": "0c4d69724b94fa3c2a4a3d2907803d5a",
"Signature": "55aa2a1af346f378573730fc75e34fd68523f1fcf995399b25e6f7728a98c377d464fc15fb36c249512c7888635509463900fc69d4ca9b29fba33fc0c9009b131db09889dc78f2cd7c85cd539daf62e26166a3142a45874a98422b50fc1bb59e083009fae42dd7098979f909e688ce7d1bb86aa29bc1536009e8a3b89dd7ad1f1cb8ec9841f0f60e80fbe4ffdf9d10a7eb00ba5f4a8f1a3a52b4eabf0949153536599a0f54d2b21b7f7e5e09ad76548a746dcad205672b76ebff98b226953819884414e50a59a26be7223e4421d23f1cc09bed7c48b2d8920c914f3c6694af5d0253eb9ee29ee4d31f8601649c00c2e95a74750d3de17988bf1c0197c9192380d7365a5f9616b1630cc646403bce5d35d4593e439a18aec3c9cbc3fb9b135f6ab5c7e0f305c359df27622bde41c953b9ff341067f62632987bfe5c42948194829dac0a8bc64b154ad3989045603380e023def803a4f64547e5ceb8034247e841367177adfda2e897744e2eda1e1d8c5ac81e9ad5c2f0c622a84f9bbdd81c9a51c42f9af65fa72797ba962e8557c060e778567f6aefc2959a4b1102c8829cc91a057cba71b54e7a996cf4e89ed45a98c89fbf8dbb185c43f5d02ae8e262ee7804dbbdd1fb5b0aa8707ef0978478e308035d472c63a825389701d23f3adae5e5f6e69bdc7e2cccff174c4d00a2d8d6010eb88beee6e07255892c271961f677018c",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp 2022 , 2",
"TBS": {
"MD5": "812cb8ca0c79b318780ec5128ad13c1d",
"SHA1": "3f8047d078307123301e50a25e9afb0dc4b6843d",
"SHA256": "0c0b121e6f807bc22d4e0f4945634c22eca7e4d5ca58a1526a40e918a35c1d79",
"SHA384": "86aab81948499b3c90833253a853e7b3fd82ccf7b65b35806831ab60814bfc6ad8848c990df262a1c89b6fc4267dad81"
},
"ValidFrom": "2022-09-21 00:00:00",
"ValidTo": "2033-11-21 23:59:59",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=DE, ST=Berlin, L=Berlin, postalCode=48273, ??=Rathas G45, OU=Ownership, O=Sex Shop L45, emailAddress=administration@parsec.net, CN=Sex Shop SRL",
"SerialNumber": "00e3214c81339540a3804fca656f5aea7d",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2024-09-26