cce291c8-4534-4362-af45-5f45cd32bd92

smep_namco.sys :inline

Description

smep_namco.sys is a vulnerable driver and more information will be added as found.

  • UUID: cce291c8-4534-4362-af45-5f45cd32bd92
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the vulnerable driver!

Commands

sc.exe create smep_namco.sys binPath=C:\windows\temp\smep_namco.sys type=kernel && sc.exe start smep_namco.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/namazso/physmem_drivers

  • Known Vulnerable Samples

    PropertyValue
    Filenamesmep_namco.sys
    Creation Timestamp2013-07-09 19:35:24
    MD502198692732722681f246c1b33f7a9d9
    SHA1f052dc35b74a1a6246842fbb35eb481577537826
    SHA2567ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d
    Authentihash MD55673638fc95d46f6b323144472c6e608
    Authentihash SHA10f780b7ada5dd8464d9f2cc537d973f5ac804e9c
    Authentihash SHA2567fd788358585e0b863328475898bb4400ed8d478466d1b7f5cc0252671456cc8
    RichPEHeaderHash MD5b2f23c03be4553a744ff25735a80073c
    RichPEHeaderHash SHA12703d60c8f12df9d6adf5ae475bfeb1786486888
    RichPEHeaderHash SHA25646ffd109664b6694974986a39d508002d564434d60a0fb9f861401f2cb2c83f1

    Download

    Certificates

    Expand
    Certificate 0400000000012019c19066
    FieldValue
    ToBeSigned (TBS) MD542023b9487cafe46c1b6a49c369a362e
    ToBeSigned (TBS) SHA17c7b524d269334b9f073c32e888e09544c6acd98
    ToBeSigned (TBS) SHA256b7126567833f3daa4085ff41e73112daad3d1e3808a942c1936520e2d6c46c78
    SubjectOU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA
    ValidFrom2009-03-18 11:00:00
    ValidTo2028-01-28 12:00:00
    Signature5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012019c19066
    Version3
    Certificate 0400000000012f4ee1355c
    FieldValue
    ToBeSigned (TBS) MD5f6a9e8eb8784f3f694b4e353c08a0ff5
    ToBeSigned (TBS) SHA1589a7d4df869395601ba7538a65afae8c4616385
    ToBeSigned (TBS) SHA256cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2
    ValidFrom2011-04-13 10:00:00
    ValidTo2019-04-13 10:00:00
    Signature225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012f4ee1355c
    Version3
    Certificate 01000000000125b0b4cc01
    FieldValue
    ToBeSigned (TBS) MD5e3369c8e5aec0504b3a50455f615d9f9
    ToBeSigned (TBS) SHA113c244a894b40ecd18aaf97c362f20385bd005a7
    ToBeSigned (TBS) SHA25626da721a670c72836926032fee6920118bfb9bff89cc8d0ce30d9452c33f2532
    SubjectC=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority
    ValidFrom2009-12-21 09:32:56
    ValidTo2020-12-22 09:32:56
    Signaturebc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber01000000000125b0b4cc01
    Version3
    Certificate 1121953cf4f12153ed3974a70d218298b988
    FieldValue
    ToBeSigned (TBS) MD5ed2401f2f2a40ae687096d79a85955d7
    ToBeSigned (TBS) SHA101bbd03bb2a9285563adf031b7379cb95e34c26b
    ToBeSigned (TBS) SHA256fde6a38c54e98159e61ac0fbba5f725a65ab975d211aed1f693c645c0e64c4eb
    SubjectC=JP, ST=Tokyo, L=Shinagawa, O=NAMCO BANDAI Online Inc., CN=NAMCO BANDAI Online Inc.
    ValidFrom2012-08-22 06:31:53
    ValidTo2014-10-21 03:05:04
    Signaturea6adc313f1c743fa19363fba06d32bdaf2c528004b8baf033ab77fa6a5a919cd30ebc7936933134553014329292e644225ee7dc0fcaa6fcfdb87e59947955d2acc40e2778598fe763057c821c93f3f2525c81179a4d0cb32d28329cc7f1e245b455ca755c1a8789bb8813da3492c19ce4f6b68d74cb5352deaed4865e1d944e01a6a3b14531a7305e9e385ea681d54062c2c1489384bb6f0917775250471255f5dcdc253fff80becd97053d22e6e8d73f3b2272d0bf0d262f73bb5dccfd48622cdf180eaf4ca77304b943362c759f125a1f56b3c5665f406fa2da81038161073f446d50fb3e8ae46d30f94021c514e6ca52f0d7d4951e2f9e245e4fd966f31f0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber1121953cf4f12153ed3974a70d218298b988
    Version3
    Certificate 6129152700000000002a
    FieldValue
    ToBeSigned (TBS) MD50bb058d116f02817737920f112d9fd3b
    ToBeSigned (TBS) SHA1fd116235171a4feafedee586b7a59185fb5fd7e6
    ToBeSigned (TBS) SHA256f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2011-04-15 19:55:08
    ValidTo2021-04-15 20:05:08
    Signature5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber6129152700000000002a
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • IoDeleteSymbolicLink
    • RtlInitUnicodeString
    • IofCompleteRequest
    • MmGetSystemRoutineAddress
    • IoCreateSymbolicLink
    • IoCreateDevice
    • IoDeleteDevice

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .data
    • .pdata
    • .info
    • INIT

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "0400000000012019c19066",
          "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA",
          "TBS": {
            "MD5": "42023b9487cafe46c1b6a49c369a362e",
            "SHA1": "7c7b524d269334b9f073c32e888e09544c6acd98",
            "SHA256": "b7126567833f3daa4085ff41e73112daad3d1e3808a942c1936520e2d6c46c78",
            "SHA384": "0ee4f63d6f157ec4f6990c3ebb411ccd76cb1e2123c7f692459e43f96c0da2dbf60a2bce6afeacc60621d3055028baea"
          },
          "ValidFrom": "2009-03-18 11:00:00",
          "ValidTo": "2028-01-28 12:00:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "0400000000012f4ee1355c",
          "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
          "TBS": {
            "MD5": "f6a9e8eb8784f3f694b4e353c08a0ff5",
            "SHA1": "589a7d4df869395601ba7538a65afae8c4616385",
            "SHA256": "cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4",
            "SHA384": "dcec542f242317863d0b3d23947e17d6982e381003831777b07ed75b46fb18bd0392a89c9beb6862981cd05f3f2fb77b"
          },
          "ValidFrom": "2011-04-13 10:00:00",
          "ValidTo": "2019-04-13 10:00:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "01000000000125b0b4cc01",
          "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority",
          "TBS": {
            "MD5": "e3369c8e5aec0504b3a50455f615d9f9",
            "SHA1": "13c244a894b40ecd18aaf97c362f20385bd005a7",
            "SHA256": "26da721a670c72836926032fee6920118bfb9bff89cc8d0ce30d9452c33f2532",
            "SHA384": "1524902f0e25addc6d74039d439366d2b06199e215004fd8e145369f50ea94a021ce6312e8a62b35470da0309ccb975c"
          },
          "ValidFrom": "2009-12-21 09:32:56",
          "ValidTo": "2020-12-22 09:32:56",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "1121953cf4f12153ed3974a70d218298b988",
          "Signature": "a6adc313f1c743fa19363fba06d32bdaf2c528004b8baf033ab77fa6a5a919cd30ebc7936933134553014329292e644225ee7dc0fcaa6fcfdb87e59947955d2acc40e2778598fe763057c821c93f3f2525c81179a4d0cb32d28329cc7f1e245b455ca755c1a8789bb8813da3492c19ce4f6b68d74cb5352deaed4865e1d944e01a6a3b14531a7305e9e385ea681d54062c2c1489384bb6f0917775250471255f5dcdc253fff80becd97053d22e6e8d73f3b2272d0bf0d262f73bb5dccfd48622cdf180eaf4ca77304b943362c759f125a1f56b3c5665f406fa2da81038161073f446d50fb3e8ae46d30f94021c514e6ca52f0d7d4951e2f9e245e4fd966f31f0",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=JP, ST=Tokyo, L=Shinagawa, O=NAMCO BANDAI Online Inc., CN=NAMCO BANDAI Online Inc.",
          "TBS": {
            "MD5": "ed2401f2f2a40ae687096d79a85955d7",
            "SHA1": "01bbd03bb2a9285563adf031b7379cb95e34c26b",
            "SHA256": "fde6a38c54e98159e61ac0fbba5f725a65ab975d211aed1f693c645c0e64c4eb",
            "SHA384": "fb4e72f444466ab10e27eb009c2ae5861cbd388ce98c75b07bf9b20910e6d21019aab6b64ac5030a029991859e7b94a2"
          },
          "ValidFrom": "2012-08-22 06:31:53",
          "ValidTo": "2014-10-21 03:05:04",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "6129152700000000002a",
          "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
          "TBS": {
            "MD5": "0bb058d116f02817737920f112d9fd3b",
            "SHA1": "fd116235171a4feafedee586b7a59185fb5fd7e6",
            "SHA256": "f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4",
            "SHA384": "c0df876be008c26ca407fe904e6f5e7ccded17f9c16830ce9f8022309c9e64c97f494810f152811ae43e223b82ad7cc6"
          },
          "ValidFrom": "2011-04-15 19:55:08",
          "ValidTo": "2021-04-15 20:05:08",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
          "SerialNumber": "1121953cf4f12153ed3974a70d218298b988",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2024-09-26