d74fdf19-b4b0-4ec2-9c29-4213b064138b

irec.sys

Description

The driver in question, identified as \.\IREC, provides an interface for external programs to directly interact with system processes. Its key functionality is encapsulated in the OPENPROCESS function which, upon receiving a Process ID (PID), returns a handle to that specific process operating within the kernels domain. The vulnerability emerges from the indiscriminate nature of this functionality. An ill-intentioned actor can exploit this to obtain handles to critical processes like LSASS. With a hardcoded access mask of 0x410, this driver essentially grants PROCESS_QUERY_INFORMATION and PROCESS_VM_READ permissions, enabling unauthorized memory dumps from privileged processes, all from an unprivileged context.

UUID: d74fdf19-b4b0-4ec2-9c29-4213b064138b
Created: 2023-05-11
Author: Nasreddine Bencherchali
Acknowledgement: Michael Alfaro (@_mmpte_software), Tyler Booth | @tyler_dru1d

Download Block

This download link contains the vulnerable driver!

Commands

sc.exe create irec binPath=C:\windows\temp\irec.sys type=kernel &amp;&amp; sc.exe start irec.sys

Use Case	Privileges	Operating System
Elevate privileges	kernel	Windows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources

https://blog.dru1d.ninja/windows-driver-exploit-development-irec-sys-a5eb45093945

https://gist.github.com/dru1d-foofus/1af21179f253879f101c3a8d4f718bf0

https://www.binalyze.com/irec

Known Vulnerable Samples

Property	Value
Filename	irec.sys
Creation Timestamp	2021-05-30 13:17:53
MD5	f1a203406a680cc7e4017844b129dcbf
SHA1	d2fb46277c36498e87d0f47415b7980440d40e3d
SHA256	dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094
Authentihash MD5	3a6ceda4dfa265ed536cbabe0f1d4466
Authentihash SHA1	719f659300ba463efeeab5916f0378c64fc1ad4a
Authentihash SHA256	457e2eb5ee1def0e336463b7f62dcc02fdde307b817cf750907a5f5465c4dcb7
RichPEHeaderHash MD5	0da13196398d66f818326c83ae18ca08
RichPEHeaderHash SHA1	205d5414069dbce2b6e6721a3538dcea0ed136ad
RichPEHeaderHash SHA256	82ac138eb1bc938af7fb04af2c1c532827e41af25a3d3500006a3f7cb3327f54

Download

Certificates

Expand

Certificate 33000000433a68189e33902987000000000043

Field	Value
ToBeSigned (TBS) MD5	3d790bd5602e84a4aa8560133ced0a41
ToBeSigned (TBS) SHA1	909e31e3e3808ab55d508fc0ba47e0132a57d7ab
ToBeSigned (TBS) SHA256	ac1acbcba260f10270527c3762457c1b96818466df9da51dfec3b147c90db453
Subject	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
ValidFrom	2020-12-15 22:25:28
ValidTo	2021-12-02 22:25:28
Signature	3a8e15af3660c47a1def4303906af38b6ca69186409b4f44ebe8106ece701f6e00e734fe1d0bb290d1496c3f17859e1f9ff1f31080dd8bfd2bb5013956c2f49ffe73916654f04c35b9df2fb27c55a71df3d8e1f25185d398abed244b42e27741c0b1c953c139c011b801f00e80ea992005a1305dd65bcb2032790b0d87636b75d2fb8f431546cd906ab0a55083a26d2649d822871b6aacd1b4d8c74ea2366903eeb318e7826db64e3a858d6377cf2f9a628f21d6ef65279603c18d25d365dd370cef1a45527deec589a331a221c909a8b0d2010d078970678c648d62168056e3b775233eac20e50cc039a85900749f627a419e8959fcf21efc89da76426107e43261ccdcaebad659b89abfdd5d1a78e9d438868b9ff58cac5176bddff8c8dd11008ed72ed249bb7d78af559b04561e6b44aae7846b103d2db8c0e31a5f661851f97acba0757b474c1caa49cf8eed86de15a4118743a418b6b415e7770265801ba51061b5d32125ed5ba1e27fe83ac795f9cc868949b14d59eb4f596763da9102f9e6ae8fe92de61d68af67a906e0be424f5c81dcecd4d190953a66384c3b5fe33f7b402a0934c2befd4a51b2f2850ef05e156fc4e1460eab2f67e3cbc999db761f57970ccafbc49040e999965f5306c1f5c90ce172d889a3aa63ec502a60020b2a7b4fff562b9dc5c50a8e06bc52f04ff0fe535591e2e6b7325239666152819a
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	False
SerialNumber	33000000433a68189e33902987000000000043
Version	3

Certificate 330000000d690d5d7893d076df00000000000d

Field	Value
ToBeSigned (TBS) MD5	83f69422963f11c3c340b81712eef319
ToBeSigned (TBS) SHA1	0c5e5f24590b53bc291e28583acb78e5adc95601
ToBeSigned (TBS) SHA256	d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
Subject	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
ValidFrom	2014-10-15 20:31:27
ValidTo	2029-10-15 20:41:27
Signature	96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	True
SerialNumber	330000000d690d5d7893d076df00000000000d
Version	3

Imports

Expand

FLTMGR.SYS
ntoskrnl.exe

Imported Functions

Expand

FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltAttachVolume
FltAllocateContext
FltSetInstanceContext
FltDeleteInstanceContext
FltGetInstanceContext
FltReleaseContext
FltEnumerateVolumes
FltObjectDereference
FltCloseCommunicationPort
FltGetRequestorProcessId
DbgPrint
ExAllocatePoolWithTag
ExFreePoolWithTag
RtlIntegerToUnicodeString
RtlAppendUnicodeToString
KeInitializeEvent
KeWaitForSingleObject
KeAcquireSpinLockAtDpcLevel
KeReleaseSpinLockFromDpcLevel
MmProbeAndLockPages
IoAllocateIrp
IoAllocateMdl
IoFreeIrp
IoFreeMdl
IoGetDeviceObjectPointer
ObfReferenceObject
ObfDereferenceObject
ZwClose
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
IoGetDeviceAttachmentBaseRef
IoGetStackLimits
FsRtlIsNameInExpression
strncpy
wcsncpy
wcsstr
RtlInitUnicodeString
RtlGetVersion
MmGetSystemRoutineAddress
MmIsDriverVerifying
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObCloseHandle
PsGetCurrentProcessId
IoCreateFileSpecifyDeviceObjectHint
KeStackAttachProcess
KeUnstackDetachProcess
IoFileObjectType
PsProcessType
MmHighestUserAddress
RtlInt64ToUnicodeString
RtlCompareUnicodeString
RtlAppendUnicodeStringToString
ObQueryNameString
ZwQueryObject
ZwOpenDirectoryObject
_vsnwprintf
ObOpenObjectByName
ZwQueryDirectoryObject
ZwQueryInformationProcess
ZwQueryInformationThread
IoDriverObjectType
_stricmp
RtlFreeUnicodeString
KeInitializeMutex
ExSystemTimeToLocalTime
PsSetCreateProcessNotifyRoutine
PsGetProcessCreateTimeQuadPart
ZwOpenProcess
RtlConvertSidToUnicodeString
PsReferencePrimaryToken
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwQueryInformationToken
PsGetProcessImageFileName
PsGetProcessSectionBaseAddress
ZwQuerySystemInformation
PsGetProcessId
KeRevertToUserAffinityThread
KeSetSystemAffinityThread
ZwOpenSection
ZwMapViewOfSection
ZwUnmapViewOfSection
MmGetPhysicalMemoryRanges
__C_specific_handler
KeDelayExecutionThread
ProbeForRead
KeBugCheckEx

Exported Functions

Expand

Sections

Expand

.text
.rdata
.data
.pdata
INIT
.reloc

Signature

Expand

{
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "33000000433a68189e33902987000000000043",
      "Signature": "3a8e15af3660c47a1def4303906af38b6ca69186409b4f44ebe8106ece701f6e00e734fe1d0bb290d1496c3f17859e1f9ff1f31080dd8bfd2bb5013956c2f49ffe73916654f04c35b9df2fb27c55a71df3d8e1f25185d398abed244b42e27741c0b1c953c139c011b801f00e80ea992005a1305dd65bcb2032790b0d87636b75d2fb8f431546cd906ab0a55083a26d2649d822871b6aacd1b4d8c74ea2366903eeb318e7826db64e3a858d6377cf2f9a628f21d6ef65279603c18d25d365dd370cef1a45527deec589a331a221c909a8b0d2010d078970678c648d62168056e3b775233eac20e50cc039a85900749f627a419e8959fcf21efc89da76426107e43261ccdcaebad659b89abfdd5d1a78e9d438868b9ff58cac5176bddff8c8dd11008ed72ed249bb7d78af559b04561e6b44aae7846b103d2db8c0e31a5f661851f97acba0757b474c1caa49cf8eed86de15a4118743a418b6b415e7770265801ba51061b5d32125ed5ba1e27fe83ac795f9cc868949b14d59eb4f596763da9102f9e6ae8fe92de61d68af67a906e0be424f5c81dcecd4d190953a66384c3b5fe33f7b402a0934c2befd4a51b2f2850ef05e156fc4e1460eab2f67e3cbc999db761f57970ccafbc49040e999965f5306c1f5c90ce172d889a3aa63ec502a60020b2a7b4fff562b9dc5c50a8e06bc52f04ff0fe535591e2e6b7325239666152819a",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "3d790bd5602e84a4aa8560133ced0a41",
        "SHA1": "909e31e3e3808ab55d508fc0ba47e0132a57d7ab",
        "SHA256": "ac1acbcba260f10270527c3762457c1b96818466df9da51dfec3b147c90db453",
        "SHA384": "c548f472f381df2da149c036e2f47be20293838eb23adce5e1b0ad1ba1fe8c33f688528452146c87dcb26070a2a23ced"
      },
      "ValidFrom": "2020-12-15 22:25:28",
      "ValidTo": "2021-12-02 22:25:28",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "33000000433a68189e33902987000000000043",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

source

last_updated: 2024-09-26