f654ad84-c61d-477c-a0b2-d153b927dfcc

EIO.sys :inline

Description

This is a vulnerable driver per Microsoft.

  • UUID: f654ad84-c61d-477c-a0b2-d153b927dfcc
  • Created: 2023-05-20
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create EIO.sys binPath=C:\windows\temp\EIO.sys type=kernel && sc.exe start EIO.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

    • Known Vulnerable Samples

    PropertyValue
    FilenameEIO.sys
    Creation Timestamp2007-10-16 07:54:18
    MD5be9eeea2a8cac5f6cd92c97f234e2fe1
    SHA1585df373a9c56072ab6074afee8f1ec3778d70f8
    SHA256b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0
    Authentihash MD5ff6c5b1f92372186d4f9879e00e42fcf
    Authentihash SHA1200be5a696990ee97b4c3176234cde46c3ebc2ce
    Authentihash SHA25672b36c64f0b349d7816c8e5e2d1a7f59807de0c87d3f071a04dbc56bec9c00db
    RichPEHeaderHash MD5631b52d0fb39bc8beb7c0d3d3f514da3
    RichPEHeaderHash SHA15e80e96c8a5ad4e5dc7564392e3b173f48801a97
    RichPEHeaderHash SHA256bf9303b65e432a0cf45638587d9df6f824fe37ca3920f35cc3d5c3553d54556f
    CompanyASUSTeK Computer Inc.
    DescriptionASUS VGA Kernel Mode Driver
    ProductASUS VGA Kernel Mode Driver
    OriginalFilenameEIO.sys

    Download

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • IoCreateSymbolicLink
    • IoCreateDevice
    • ExAllocatePoolWithTag
    • IofCallDriver
    • IoDeleteSymbolicLink
    • KeInitializeMutex
    • IoAttachDeviceToDeviceStack
    • IoDeleteDevice
    • IoDetachDevice
    • MmUnmapIoSpace
    • KeReleaseMutex
    • KeWaitForSingleObject
    • KeBugCheckEx
    • IofCompleteRequest
    • RtlInitUnicodeString
    • MmMapIoSpace
    • KeStallExecutionProcessor
    • HalTranslateBusAddress

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand
    PropertyValue
    FilenameEIO.sys
    Creation Timestamp2009-07-21 20:34:42
    MD5343ada10d948db29251f2d9c809af204
    SHA13f17ff83dc8a5f875fb1b3a5d3b9fcbe407a99f0
    SHA256cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb
    Authentihash MD55af6b25eec77fec510803a229944c8ad
    Authentihash SHA1ed54e23998978f8124bd1f97c265f708ddba1de0
    Authentihash SHA256d4e7335a177e47688d68ad89940c272f82728c882623f1630e7fd2e03e16f003
    RichPEHeaderHash MD59e879414ec72529ec97c71019ff54ff0
    RichPEHeaderHash SHA19f70178044e7de72a85ee75901f03bacfd277c05
    RichPEHeaderHash SHA256769dd395a70eb58e4a9b4bac925874290f3a688367a35aa5a392d93b0fc1fe47
    CompanyASUSTeK Computer Inc.
    DescriptionASUS VGA Kernel Mode Driver
    ProductASUS VGA Kernel Mode Driver
    OriginalFilenameEIO.sys

    Download

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • KeInitializeMutex
    • RtlInitUnicodeString
    • IoDeleteDevice
    • IoDetachDevice
    • MmUnmapIoSpace
    • MmMapIoSpace
    • PoStartNextPowerIrp
    • IofCompleteRequest
    • ExFreePoolWithTag
    • PoCallDriver
    • IoCreateSymbolicLink
    • IoCreateDevice
    • IofCallDriver
    • KeReleaseMutex
    • KeWaitForSingleObject
    • KeBugCheckEx
    • IoDeleteSymbolicLink
    • IoAttachDeviceToDeviceStack
    • ExAllocatePoolWithTag
    • KeStallExecutionProcessor
    • HalTranslateBusAddress

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand
    PropertyValue
    Filename
    Creation Timestamp2009-07-21 20:34:52
    MD500143c457c8885fd935fc5d5a6ba07a4
    SHA1a92207062fb72e6e173b2ffdb12c76834455f5d3
    SHA2561fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718
    Authentihash MD53fc7ad198c185c20a883e902a02b80f1
    Authentihash SHA130a48418d07561c8df8aa4219734f0ded791e430
    Authentihash SHA256047c1d5bb80826a6f66c182fc8b5f66f59609a71e734117f20a4f98b9866bde5
    RichPEHeaderHash MD5ec621a5c93befc7894cf9e25fe8d8e5a
    RichPEHeaderHash SHA1325b01f040538a3c52d4e228d2a12db399e0f3f1
    RichPEHeaderHash SHA2562def42426b474ae4318a6b9ddb2295179989bf0418d8a0ab738f0d3225ba006b
    CompanyASUSTeK Computer Inc.
    DescriptionASUS VGA Kernel Mode Driver
    ProductASUS VGA Kernel Mode Driver
    OriginalFilenameEIO.sys

    Download

    Certificates

    Expand
    Certificate 0c5167c023b9adedf0f8918ee65712a1
    FieldValue
    ToBeSigned (TBS) MD5b9dcc79e9817431a597f16b483f5bab2
    ToBeSigned (TBS) SHA1fae5bf9779eed37708a44ba44f440c60174daa14
    ToBeSigned (TBS) SHA256e6d299f754eaa1c55b8485adf0eeefdde50a924207ff0e36333c4fe1729e2376
    Subject??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTEK COMPUTER INC., CN=ASUSTEK COMPUTER INC.
    ValidFrom2019-03-18 00:00:00
    ValidTo2022-03-23 12:00:00
    Signature05ab2d8216108391cd6f6a64cecefc78936899f2c3d6144e5b457ee70ab001e557a55c07a40a6b5395045e43bf1a320e79e2c12e11446a1e1426530b434e778abc836198ecce68769fa499016f2883e65104cb36a976c4986263485b774f36522f50432ee823651a17d03787ff672db6689a10cb58d84bb7bacf5da54ee5ebe4bae7c9a1ed2d95ecd7e42bb354d375fe94661df0acb3a64aa6866822140a716049924aab891e4955d7321a25875331f5f8b744ad39bbba4c564711273ae5675afd06175243e5e5940afe9fac413170ef21ac125e698edadefea6026eb7117c506fe422867b6479c34ae0300caf99c75dbf5f60465d5677831a55e9fdc10d621b
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0c5167c023b9adedf0f8918ee65712a1
    Version3
    Certificate 03f1b4e15f3a82f1149678b3d7d8475c
    FieldValue
    ToBeSigned (TBS) MD583f5de89f641d0fbf60248e10a7b9534
    ToBeSigned (TBS) SHA1382a73a059a08698d6eb98c87e1b36fc750933a4
    ToBeSigned (TBS) SHA256eec58131dc11cd7f512501b15fdbc6074c603b68ca91f7162d5a042054edb0cf
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)
    ValidFrom2012-04-18 12:00:00
    ValidTo2027-04-18 12:00:00
    Signature19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber03f1b4e15f3a82f1149678b3d7d8475c
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • IoDetachDevice
    • IofCallDriver
    • PoCallDriver
    • PoStartNextPowerIrp
    • MmUnmapIoSpace
    • MmMapIoSpace
    • READ_REGISTER_UCHAR
    • READ_REGISTER_USHORT
    • READ_REGISTER_ULONG
    • WRITE_REGISTER_UCHAR
    • WRITE_REGISTER_USHORT
    • RtlInitUnicodeString
    • ExFreePoolWithTag
    • IoDeleteSymbolicLink
    • IofCompleteRequest
    • KeQuerySystemTime
    • memmove
    • ExAllocatePoolWithTag
    • memset
    • KeWaitForSingleObject
    • KeReleaseMutex
    • KeTickCount
    • KeBugCheckEx
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoAttachDeviceToDeviceStack
    • WRITE_REGISTER_ULONG
    • KeInitializeMutex
    • KeStallExecutionProcessor
    • WRITE_PORT_UCHAR
    • READ_PORT_ULONG
    • WRITE_PORT_ULONG
    • HalTranslateBusAddress

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    PropertyValue
    Filename
    Creation Timestamp2009-07-21 20:34:42
    MD56dd82d91f981893be57ff90101a7f7f1
    SHA121ce232de0f306a162d6407fe1826aff435b2a04
    SHA256f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de
    Authentihash MD55af6b25eec77fec510803a229944c8ad
    Authentihash SHA1ed54e23998978f8124bd1f97c265f708ddba1de0
    Authentihash SHA256d4e7335a177e47688d68ad89940c272f82728c882623f1630e7fd2e03e16f003
    RichPEHeaderHash MD59e879414ec72529ec97c71019ff54ff0
    RichPEHeaderHash SHA19f70178044e7de72a85ee75901f03bacfd277c05
    RichPEHeaderHash SHA256769dd395a70eb58e4a9b4bac925874290f3a688367a35aa5a392d93b0fc1fe47
    CompanyASUSTeK Computer Inc.
    DescriptionASUS VGA Kernel Mode Driver
    ProductASUS VGA Kernel Mode Driver
    OriginalFilenameEIO.sys

    Download

    Certificates

    Expand
    Certificate 0c5167c023b9adedf0f8918ee65712a1
    FieldValue
    ToBeSigned (TBS) MD5b9dcc79e9817431a597f16b483f5bab2
    ToBeSigned (TBS) SHA1fae5bf9779eed37708a44ba44f440c60174daa14
    ToBeSigned (TBS) SHA256e6d299f754eaa1c55b8485adf0eeefdde50a924207ff0e36333c4fe1729e2376
    Subject??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTEK COMPUTER INC., CN=ASUSTEK COMPUTER INC.
    ValidFrom2019-03-18 00:00:00
    ValidTo2022-03-23 12:00:00
    Signature05ab2d8216108391cd6f6a64cecefc78936899f2c3d6144e5b457ee70ab001e557a55c07a40a6b5395045e43bf1a320e79e2c12e11446a1e1426530b434e778abc836198ecce68769fa499016f2883e65104cb36a976c4986263485b774f36522f50432ee823651a17d03787ff672db6689a10cb58d84bb7bacf5da54ee5ebe4bae7c9a1ed2d95ecd7e42bb354d375fe94661df0acb3a64aa6866822140a716049924aab891e4955d7321a25875331f5f8b744ad39bbba4c564711273ae5675afd06175243e5e5940afe9fac413170ef21ac125e698edadefea6026eb7117c506fe422867b6479c34ae0300caf99c75dbf5f60465d5677831a55e9fdc10d621b
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0c5167c023b9adedf0f8918ee65712a1
    Version3
    Certificate 03f1b4e15f3a82f1149678b3d7d8475c
    FieldValue
    ToBeSigned (TBS) MD583f5de89f641d0fbf60248e10a7b9534
    ToBeSigned (TBS) SHA1382a73a059a08698d6eb98c87e1b36fc750933a4
    ToBeSigned (TBS) SHA256eec58131dc11cd7f512501b15fdbc6074c603b68ca91f7162d5a042054edb0cf
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)
    ValidFrom2012-04-18 12:00:00
    ValidTo2027-04-18 12:00:00
    Signature19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber03f1b4e15f3a82f1149678b3d7d8475c
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • KeInitializeMutex
    • RtlInitUnicodeString
    • IoDeleteDevice
    • IoDetachDevice
    • MmUnmapIoSpace
    • MmMapIoSpace
    • PoStartNextPowerIrp
    • IofCompleteRequest
    • ExFreePoolWithTag
    • PoCallDriver
    • IoCreateSymbolicLink
    • IoCreateDevice
    • IofCallDriver
    • KeReleaseMutex
    • KeWaitForSingleObject
    • KeBugCheckEx
    • IoDeleteSymbolicLink
    • IoAttachDeviceToDeviceStack
    • ExAllocatePoolWithTag
    • KeStallExecutionProcessor
    • HalTranslateBusAddress

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand

    source

    last_updated: 2024-04-09