0f64bf7a-2ef2-45ea-af7d-4e7c87d98777
psmounterex.sys
Description
Northwave Cyber Security contributed this driver based on in-house research. The driver has a CVSSv3 score of 8.8, indicating a privelege escalation impact. This vulnerability could potentially be exploited for privilege escalation or other malicious activities.
- UUID: 0f64bf7a-2ef2-45ea-af7d-4e7c87d98777
- Created: 2024-09-11
- Author: Northwave Cyber Security
- Acknowledgement: Northwave Cyber Security |
Commands
sc.exe create psmounterex binPath=C:\windows\temp\psmounterex.sys type=kernel && sc.exe start psmounterex
Use Case | Privileges | Operating System |
---|---|---|
Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Expand
Resources
Known Vulnerable Samples
Property | Value |
---|---|
Filename | psmounterex.sys |
Creation Timestamp | 2019-02-15 04:20:49 |
MD5 | 2a9cf32ba325f394ae1cfb1e70f38b6e |
SHA1 | f4d3743b764d2b781c19ce1645965f3eb61b2ad1 |
SHA256 | 4e99d454a56845bb0e622cfd68b895b7868ef7e8a43424e5b7b803f5a2d25eca |
Authentihash MD5 | 78f367a992e85d134e864abb6dbdfbc2 |
Authentihash SHA1 | 9e80ef26b432c64950e6f465f5469307d0b71359 |
Authentihash SHA256 | 92f9341304bfb77158d29397d1b9695dee0d001ab5f119a8b49f49fa15e0cd98 |
RichPEHeaderHash MD5 | 9f91f079886d3e0f54969f352ccd3d8c |
RichPEHeaderHash SHA1 | 98f83fe0cd432776a0319728071ca3b041fde6c5 |
RichPEHeaderHash SHA256 | a998b6e8926459a24bc355cad2d9333b832cd38f0d6a0d24ffaecf1169aca912 |
Company | Windows (R) Win 7 DDK provider |
Description | Paramount Software Image Mounting Driver |
Product | PSMounterEx |
OriginalFilename | psmounterex.sys |
Certificates
Expand
Certificate 7e93ebfb7cc64e59ea4b9a77d406fc3b
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | d0785ad36e427c92b19f6826ab1e8020 |
ToBeSigned (TBS) SHA1 | 365b7a9c21bd9373e49052c3e7b3e4646ddd4d43 |
ToBeSigned (TBS) SHA256 | c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff |
Subject | C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2 |
ValidFrom | 2012-12-21 00:00:00 |
ValidTo | 2020-12-30 23:59:59 |
Signature | 03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6 |
SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
IsCertificateAuthority | True |
SerialNumber | 7e93ebfb7cc64e59ea4b9a77d406fc3b |
Version | 3 |
Certificate 47c30ffefc22bb280f96fea75251
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | 729cf4baceff4ef7aa199ad4f4ebed3d |
ToBeSigned (TBS) SHA1 | f478f0e790d5c8ec6056a3ab2567404a991d2837 |
ToBeSigned (TBS) SHA256 | c3c88c2a500cb5a97abca837193a5bd382f6eb3aeb0008edbce65ea2a3dbfd5c |
Subject | C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3 |
ValidFrom | 2016-03-16 00:00:00 |
ValidTo | 2024-03-16 00:00:00 |
Signature | 3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492 |
SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
IsCertificateAuthority | True |
SerialNumber | 47c30ffefc22bb280f96fea75251 |
Version | 3 |
Certificate 0ecff438c8febf356e04d86a981b1a50
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | e9d38360b914c8863f6cba3ee58764d3 |
ToBeSigned (TBS) SHA1 | 4cba8eae47b6bf76f20b3504b98b8f062694a89b |
ToBeSigned (TBS) SHA256 | 88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976 |
Subject | C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4 |
ValidFrom | 2012-10-18 00:00:00 |
ValidTo | 2020-12-29 23:59:59 |
Signature | 783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475 |
SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
IsCertificateAuthority | False |
SerialNumber | 0ecff438c8febf356e04d86a981b1a50 |
Version | 3 |
Certificate 7c4ba269a79bfcba77f289aa
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | c793e7fd0c44bceb7ad426be86040011 |
ToBeSigned (TBS) SHA1 | d801cf6f287f318e5f7a0ab5cd8906ddd8fae251 |
ToBeSigned (TBS) SHA256 | a9c88e683450713b03ff083447909e1de401529408f51df6deb0ffb56d032aeb |
Subject | C=GB, ST=Greater Manchester, L=Manchester, O=Paramount Software UK Ltd, CN=Paramount Software UK Ltd |
ValidFrom | 2017-02-16 09:47:48 |
ValidTo | 2020-03-24 14:06:23 |
Signature | 316bfbf40acac7ca3740421599ce15352c4a4fcf111376eb9daab6a7799a0cf15abd84039561f30ec15ce6fbcfade6d441670f0ac46e46e8de3d80ba922484a460d18aa9a4a9cf554821359e49c60f218581429c87b0572fd15fc977fce01330c40e12e9d5df52e155b139cbcd73b9d5e140026f11dbe6f07b0d57d8bb89d0ea9a3bdc0b4b0a1485048e2b1ee94220d2c9e23cdf4d0eb61292bf33e5ed8b6329679f9484a6b0c7a8064964c9ca22a79cced0ea9eba71346606cf73f694bff915fdffc2e68777656d824db607914568ad8615ddf65e988a4b67a6f4eeb2b97987586257a8e6d96b29d50e7c0b40bf4649ae1bd0d71a5c33014076572a4c00e352 |
SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
IsCertificateAuthority | False |
SerialNumber | 7c4ba269a79bfcba77f289aa |
Version | 3 |
Certificate 6129152700000000002a
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | 0bb058d116f02817737920f112d9fd3b |
ToBeSigned (TBS) SHA1 | fd116235171a4feafedee586b7a59185fb5fd7e6 |
ToBeSigned (TBS) SHA256 | f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4 |
Subject | C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA |
ValidFrom | 2011-04-15 19:55:08 |
ValidTo | 2021-04-15 20:05:08 |
Signature | 5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0 |
SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
IsCertificateAuthority | True |
SerialNumber | 6129152700000000002a |
Version | 3 |
Imports
Expand
- ntoskrnl.exe
Imported Functions
Expand
- DbgPrint
- ExAllocatePoolWithTag
- ExFreePoolWithTag
- ZwCreateFile
- ZwWriteFile
- ZwClose
- KdDebuggerEnabled
- RtlInitAnsiString
- RtlWriteRegistryValue
- RtlCreateRegistryKey
- RtlAnsiStringToUnicodeString
- RtlFreeUnicodeString
- IoAllocateErrorLogEntry
- IoWriteErrorLogEntry
- RtlInitUnicodeString
- ZwQueryInformationFile
- ZwReadFile
- KeInitializeEvent
- KeSetEvent
- RtlCompareMemory
- ExInterlockedInsertTailList
- IofCompleteRequest
- SeTokenType
- SeCreateClientSecurity
- PsDereferencePrimaryToken
- PsDereferenceImpersonationToken
- RtlClearAllBits
- RtlSetAllBits
- RtlSetBits
- RtlFindFirstRunClear
- RtlAreBitsSet
- RtlFindNextForwardRunClear
- KeAcquireInStackQueuedSpinLock
- KeReleaseInStackQueuedSpinLock
- ExInterlockedInsertHeadList
- __C_specific_handler
- ExAllocatePool
- _wcsicmp
- _wcsnicmp
- RtlQueryRegistryValues
- RtlCopyUnicodeString
- RtlAppendUnicodeToString
- RtlxAnsiStringToUnicodeSize
- KeSetPriorityThread
- KeWaitForMultipleObjects
- KeWaitForSingleObject
- ExInterlockedRemoveHeadList
- ExInitializeResourceLite
- ExDeleteResourceLite
- MmQuerySystemSize
- MmMapLockedPagesSpecifyCache
- MmUnmapLockedPages
- PsCreateSystemThread
- PsTerminateSystemThread
- IoCreateSymbolicLink
- IoDeleteDevice
- IoDeleteSymbolicLink
- ZwCreateDirectoryObject
- ZwMakeTemporaryObject
- ZwOpenKey
- RtlInitializeGenericTable
- ExUuidCreate
- SeImpersonateClient
- PsRevertToSelf
- _vsnprintf
- _vsnwprintf
- NlsMbOemCodePageTag
- ExAcquireResourceExclusiveLite
- ExReleaseResourceLite
- RtlInsertElementGenericTable
- RtlDeleteElementGenericTable
- _local_unwind
- ZwQueryDirectoryFile
- swprintf
- ZwOpenProcessToken
- ZwAdjustPrivilegesToken
- RtlInitializeBitMap
- PsGetVersion
- ZwQueryValueKey
- MmGetSystemRoutineAddress
- IoCreateDevice
- ObOpenObjectByPointer
- ZwSetSecurityObject
- IoDeviceObjectType
- _snwprintf
- RtlLengthSecurityDescriptor
- SeCaptureSecurityDescriptor
- RtlCreateSecurityDescriptor
- RtlSetDaclSecurityDescriptor
- RtlAbsoluteToSelfRelativeSD
- IoIsWdmVersionAvailable
- SeExports
- wcschr
- RtlLengthSid
- RtlAddAccessAllowedAce
- RtlGetSaclSecurityDescriptor
- RtlGetDaclSecurityDescriptor
- RtlGetGroupSecurityDescriptor
- RtlGetOwnerSecurityDescriptor
- ZwCreateKey
- ZwSetValueKey
- KeBugCheckEx
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- PAGE
- INIT
- .rsrc
- .reloc
Signature
Expand
{
"Certificates": [
{
"IsCertificateAuthority": true,
"SerialNumber": "7e93ebfb7cc64e59ea4b9a77d406fc3b",
"Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2",
"TBS": {
"MD5": "d0785ad36e427c92b19f6826ab1e8020",
"SHA1": "365b7a9c21bd9373e49052c3e7b3e4646ddd4d43",
"SHA256": "c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff",
"SHA384": "eab4fe5ef90e0de4a6aa3a27769a5e879f588df5e4785aa4104debd1f81e19ea56d33e3a16e5facf99f68b5d8e3d287b"
},
"ValidFrom": "2012-12-21 00:00:00",
"ValidTo": "2020-12-30 23:59:59",
"Version": 3
},
{
"IsCertificateAuthority": true,
"SerialNumber": "47c30ffefc22bb280f96fea75251",
"Signature": "3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3",
"TBS": {
"MD5": "729cf4baceff4ef7aa199ad4f4ebed3d",
"SHA1": "f478f0e790d5c8ec6056a3ab2567404a991d2837",
"SHA256": "c3c88c2a500cb5a97abca837193a5bd382f6eb3aeb0008edbce65ea2a3dbfd5c",
"SHA384": "e62bbb1ba1ad3df59f2c7265df5576af6b5d4a7473b74985a9d956975fdfc517ffbdd2172b0e3ea36befcb6a9026c872"
},
"ValidFrom": "2016-03-16 00:00:00",
"ValidTo": "2024-03-16 00:00:00",
"Version": 3
},
{
"IsCertificateAuthority": false,
"SerialNumber": "0ecff438c8febf356e04d86a981b1a50",
"Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4",
"TBS": {
"MD5": "e9d38360b914c8863f6cba3ee58764d3",
"SHA1": "4cba8eae47b6bf76f20b3504b98b8f062694a89b",
"SHA256": "88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976",
"SHA384": "e9f2a75334a9e336c5a4712eadee88d0374b0fdc273262f4e65c9040ad2793067cc076696db5279a478773485e285652"
},
"ValidFrom": "2012-10-18 00:00:00",
"ValidTo": "2020-12-29 23:59:59",
"Version": 3
},
{
"IsCertificateAuthority": false,
"SerialNumber": "7c4ba269a79bfcba77f289aa",
"Signature": "316bfbf40acac7ca3740421599ce15352c4a4fcf111376eb9daab6a7799a0cf15abd84039561f30ec15ce6fbcfade6d441670f0ac46e46e8de3d80ba922484a460d18aa9a4a9cf554821359e49c60f218581429c87b0572fd15fc977fce01330c40e12e9d5df52e155b139cbcd73b9d5e140026f11dbe6f07b0d57d8bb89d0ea9a3bdc0b4b0a1485048e2b1ee94220d2c9e23cdf4d0eb61292bf33e5ed8b6329679f9484a6b0c7a8064964c9ca22a79cced0ea9eba71346606cf73f694bff915fdffc2e68777656d824db607914568ad8615ddf65e988a4b67a6f4eeb2b97987586257a8e6d96b29d50e7c0b40bf4649ae1bd0d71a5c33014076572a4c00e352",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=GB, ST=Greater Manchester, L=Manchester, O=Paramount Software UK Ltd, CN=Paramount Software UK Ltd",
"TBS": {
"MD5": "c793e7fd0c44bceb7ad426be86040011",
"SHA1": "d801cf6f287f318e5f7a0ab5cd8906ddd8fae251",
"SHA256": "a9c88e683450713b03ff083447909e1de401529408f51df6deb0ffb56d032aeb",
"SHA384": "6c6437636cfc0650ce5fdfd5a3e095c7c6c105debc76a4db1c1b248b2ec8eb2ccbcdb19a0eb7622b82eb6b9f72a43f3e"
},
"ValidFrom": "2017-02-16 09:47:48",
"ValidTo": "2020-03-24 14:06:23",
"Version": 3
},
{
"IsCertificateAuthority": true,
"SerialNumber": "6129152700000000002a",
"Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
"TBS": {
"MD5": "0bb058d116f02817737920f112d9fd3b",
"SHA1": "fd116235171a4feafedee586b7a59185fb5fd7e6",
"SHA256": "f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4",
"SHA384": "c0df876be008c26ca407fe904e6f5e7ccded17f9c16830ce9f8022309c9e64c97f494810f152811ae43e223b82ad7cc6"
},
"ValidFrom": "2011-04-15 19:55:08",
"ValidTo": "2021-04-15 20:05:08",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3",
"SerialNumber": "7c4ba269a79bfcba77f289aa",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2025-01-13