080ff223-f8e0-49c0-a7b5-e97349cf81a0

HpPortIox64.sys :inline

Description

HpPortIox64.sys is a vulnerable driver and more information will be added as found.

  • UUID: 080ff223-f8e0-49c0-a7b5-e97349cf81a0
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create HpPortIox64.sys binPath=C:\windows\temp\HpPortIox64.sys     type=kernel && sc.exe start HpPortIox64.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/elastic/protections-artifacts/search?q=VulnDriver
  • https://github.com/elastic/protections-artifacts/search?q=VulnDriver

    • Known Vulnerable Samples

    PropertyValue
    FilenameHpPortIox64.sys
    Creation Timestamp2021-04-20 21:22:47
    MD5a641e3dccba765a10718c9cb0da7879e
    SHA18c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f
    SHA256c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5
    Authentihash MD5986877a0cf596be97155e9469f3c4b40
    Authentihash SHA198807d9e11bad4feed54d0d2c1abadeb95ca997c
    Authentihash SHA25635b31c96194d78cbb98b3223bf810f78f53fc0e4601f49169938ca883586e4e9
    RichPEHeaderHash MD54d4d28dcc041614dbd266ba38ab0b695
    RichPEHeaderHash SHA14d93ccf1496f49e241e0a8948d5f356787864952
    RichPEHeaderHash SHA2562dba8cdd15e9042ac6f8f474ed1bd3c6ed65b64176bee0edb8a763ec144183c5
    CompanyHP Inc.
    DescriptionHpPortIo
    ProductHpPortIo
    OriginalFilenameHpPortIox64.sys

    Download

    Certificates

    Expand
    Certificate 0409181b5fd5bb66755343b56f955008
    FieldValue
    ToBeSigned (TBS) MD59359496ca4f021408b9d8923cab8b179
    ToBeSigned (TBS) SHA12aed40d7759997830870769be250199fd609e40e
    ToBeSigned (TBS) SHA256e767799478f64a34b3f53ff3bb9057fe1768f4ab178041b0dcc0ff1e210cba65
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA
    ValidFrom2013-10-22 12:00:00
    ValidTo2028-10-22 12:00:00
    Signature3eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber0409181b5fd5bb66755343b56f955008
    Version3
    Certificate 0449edef08b987f05203c4e0f2356499
    FieldValue
    ToBeSigned (TBS) MD55e993a919f907013f89ff0215fcfdf29
    ToBeSigned (TBS) SHA1b8b101040d1a81a545ae65cc953979880d3c1b10
    ToBeSigned (TBS) SHA2568896a2b0f531a6672e0b827766d86766184f0e350785a3c263fc67347e99fe75
    SubjectC=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.
    ValidFrom2020-05-14 00:00:00
    ValidTo2021-05-19 12:00:00
    Signaturef2d1a458df5efa9cd81a8ee531f040d22d4a0ddd4c3ee66272cd114b9f0f399243a7d3c810ada729d8677d7adebfb7f3d8c98160d8ef936a372cf095f8f3407153e4dc4dfe899b9cacd1c3169869da98a3a90a8933c2f04acf67572f25259adb3670b4cfb30c1916f690f4f771bb68bcbcfb6e8a9a8bf4c0948f2397fd570a4281b25978e1da0c01e4460f9d8f4c7df28724d196a256aba21081a3de98aae12cf34ea26eefd79adf1866d2898011da1b626dcb18e384b30edc7ff8703f7bec19b197da6494c435b98a5fad01b9885c3d43726d1d69c55283f950d8e9b267dd4cbd0c8d8879bbb1347025571710a63fed825e67ed93dc0ef58fb8d0ed87f1bd14
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0449edef08b987f05203c4e0f2356499
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • MmGetSystemRoutineAddress
    • RtlUnicodeStringToAnsiString
    • ExAllocatePool
    • ZwClose
    • RtlAppendUnicodeStringToString
    • ObReferenceObjectByHandle
    • RtlCopyUnicodeString
    • MmIsAddressValid
    • ExFreePoolWithTag
    • ZwOpenFile
    • DbgPrint
    • RtlEqualUnicodeString
    • ZwCreateFile
    • KeBugCheckEx
    • RtlVolumeDeviceToDosName
    • ExAllocatePoolWithTag
    • DbgPrintEx
    • IoCreateDevice
    • IoCreateSymbolicLink
    • RtlFreeAnsiString
    • IofCompleteRequest
    • RtlFreeUnicodeString
    • RtlInitString
    • IoDeleteDevice
    • RtlInitUnicodeString
    • strstr
    • RtlAnsiStringToUnicodeString
    • ObfDereferenceObject
    • IoDeleteSymbolicLink
    • ZwReadFile
    • RtlUTF8ToUnicodeN
    • RtlTimeFieldsToTime
    • RtlCharToInteger
    • RtlCompareMemory
    • RtlAssert
    • __C_specific_handler
    • HalSetBusDataByOffset
    • HalGetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "0409181b5fd5bb66755343b56f955008",
      "Signature": "3eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA",
      "TBS": {
        "MD5": "9359496ca4f021408b9d8923cab8b179",
        "SHA1": "2aed40d7759997830870769be250199fd609e40e",
        "SHA256": "e767799478f64a34b3f53ff3bb9057fe1768f4ab178041b0dcc0ff1e210cba65",
        "SHA384": "5cb7e7b4f1dbccd48d10db7e71b6f8c05fcb4bcb0085a6fefcfa0c2148f9a594e59f56ac4304004f3b398e259035c40c"
      },
      "ValidFrom": "2013-10-22 12:00:00",
      "ValidTo": "2028-10-22 12:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0449edef08b987f05203c4e0f2356499",
      "Signature": "f2d1a458df5efa9cd81a8ee531f040d22d4a0ddd4c3ee66272cd114b9f0f399243a7d3c810ada729d8677d7adebfb7f3d8c98160d8ef936a372cf095f8f3407153e4dc4dfe899b9cacd1c3169869da98a3a90a8933c2f04acf67572f25259adb3670b4cfb30c1916f690f4f771bb68bcbcfb6e8a9a8bf4c0948f2397fd570a4281b25978e1da0c01e4460f9d8f4c7df28724d196a256aba21081a3de98aae12cf34ea26eefd79adf1866d2898011da1b626dcb18e384b30edc7ff8703f7bec19b197da6494c435b98a5fad01b9885c3d43726d1d69c55283f950d8e9b267dd4cbd0c8d8879bbb1347025571710a63fed825e67ed93dc0ef58fb8d0ed87f1bd14",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.",
      "TBS": {
        "MD5": "5e993a919f907013f89ff0215fcfdf29",
        "SHA1": "b8b101040d1a81a545ae65cc953979880d3c1b10",
        "SHA256": "8896a2b0f531a6672e0b827766d86766184f0e350785a3c263fc67347e99fe75",
        "SHA384": "8ca6718d1dfe26aabc763217c248619ba30a5485604d1e197ea049a93dc487fba8332c07437ce13bfe67e8075fcf3745"
      },
      "ValidFrom": "2020-05-14 00:00:00",
      "ValidTo": "2021-05-19 12:00:00",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA",
      "SerialNumber": "0449edef08b987f05203c4e0f2356499",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09