3e5c0fc4-bfe8-4af2-9613-4f56b0e3c2c8

malicious.sys :inline :inline

Description

This demo is a presentation at the CYBERSEC 2023 in Taiwan. The presentation showcases the abuse of RTCore64.sys (CVE-2019-16098) from MSI and the nullification of the DSE flag to load a malicious unsigned driver. The presentation also demonstrates an attack on 360 Total Security by nulling out its ObRegisterCallbacks and notify callbacks, enabling the execution of any malicious behavior on the processes of 360 Total Security.

  • UUID: 3e5c0fc4-bfe8-4af2-9613-4f56b0e3c2c8
  • Created: 2023-06-05
  • Author: Guus Verbeek
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create malicious.sys binPath=C:\windows\temp\malicious.sys type=kernel && sc.exe start malicious.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/zeze-zeze/CYBERSEC2023-BYOVD-Demo

  • Known Vulnerable Samples

    PropertyValue
    Filenamemalicious.sys
    Creation Timestamp2023-05-11 11:16:19
    MD50b311af53d2f4f77d30f1aed709db257
    SHA143501832ce50ccaba2706be852813d51de5a900f
    SHA25623e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931
    Authentihash MD5b877e53d3bc3df3d62dc7b26c9b9b006
    Authentihash SHA18fb8d175848525061418e80fe95ced27cc0ba0a4
    Authentihash SHA2564cfd9cb41a51b1e1fdfc9a6855323bf11a0baf18e5d8f0ee7480a8cb5be7c8ac
    RichPEHeaderHash MD5a6ba2bd951320636370c55e8d7761b8a
    RichPEHeaderHash SHA120cbbdef0d0d877dba78ae5a8dcd5b8ad33f38cd
    RichPEHeaderHash SHA25626b111f150fd8e467e4cb89713a96e1d8f92a50406c4c61bdbea31bcb57343b5

    Download

    Certificates

    Expand
    Certificate 7b475bcb4233f98946d0a1fbeb9de9ce
    FieldValue
    ToBeSigned (TBS) MD5d606eff6aa2f4e57d695c323c6a3591d
    ToBeSigned (TBS) SHA183bcbb816007b04a98dddc2ce9d83569e0a913d8
    ToBeSigned (TBS) SHA256f367ed049a014c61efef0ed4a4e726dc97c83b58e36b346b68b3039342f2f53c
    SubjectCN=WDKTestCert zezec,132961360795713868
    ValidFrom2022-05-04 11:08:00
    ValidTo2032-05-04 00:00:00
    Signature8a3d87651fb15fcff7666b659d53aa7d6c87f964fdfcee7cdf84e40ccb8fbfe2e27dfc99993a21d9a27e979c9a8ea7db1e6909a386c9ca493d883dd4d3434e3584bd65991851775ca4d8037cd040ab4203fa663da5c06f8b20bae3781684c34481b7b497e51d12461e8885dd013404cb4bdb7bc48c11605043b6d6db7f18b1c60729a92f57bdce8a7dc4023f4162ff126cea4290762dfcdd4fbee670c2326812a74e2db6eb7845b006b56321c0a12cb74ba5f8338d96ec2b8c210e514098839bcf7a5eb53768f2c3d6a7168ffadff069764a48ca66671f1accc5f612debbfe0a07beafe426bb81384b17c6e0b493a7b92053b56aa2ed26e86bed6c131e300061
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber7b475bcb4233f98946d0a1fbeb9de9ce
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • DbgPrint
    • KeLowerIrql
    • KfRaiseIrql
    • IofCompleteRequest
    • MmIsAddressValid
    • PsProcessType
    • PsThreadType

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "7b475bcb4233f98946d0a1fbeb9de9ce",
          "Signature": "8a3d87651fb15fcff7666b659d53aa7d6c87f964fdfcee7cdf84e40ccb8fbfe2e27dfc99993a21d9a27e979c9a8ea7db1e6909a386c9ca493d883dd4d3434e3584bd65991851775ca4d8037cd040ab4203fa663da5c06f8b20bae3781684c34481b7b497e51d12461e8885dd013404cb4bdb7bc48c11605043b6d6db7f18b1c60729a92f57bdce8a7dc4023f4162ff126cea4290762dfcdd4fbee670c2326812a74e2db6eb7845b006b56321c0a12cb74ba5f8338d96ec2b8c210e514098839bcf7a5eb53768f2c3d6a7168ffadff069764a48ca66671f1accc5f612debbfe0a07beafe426bb81384b17c6e0b493a7b92053b56aa2ed26e86bed6c131e300061",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "CN=WDKTestCert zezec,132961360795713868",
          "TBS": {
            "MD5": "d606eff6aa2f4e57d695c323c6a3591d",
            "SHA1": "83bcbb816007b04a98dddc2ce9d83569e0a913d8",
            "SHA256": "f367ed049a014c61efef0ed4a4e726dc97c83b58e36b346b68b3039342f2f53c",
            "SHA384": "28180687451e1c889191ef51deada86464e2918530084d6d17378238660a39488fc819a164ec225091dd75734d1ebcbd"
          },
          "ValidFrom": "2022-05-04 11:08:00",
          "ValidTo": "2032-05-04 00:00:00",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "CN=WDKTestCert zezec,132961360795713868",
          "SerialNumber": "7b475bcb4233f98946d0a1fbeb9de9ce",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2024-09-26