5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae

PanIO.sys

We were not able to verify the hash of this driver successfully, it has not been confirmed.

Description

PanIO.sys is a vulnerable driver and more information will be added as found.

  • UUID: 5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create PanIO.sys binPath=C:\windows\temp\PanIO.sys type=kernel && sc.exe start PanIO.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
  • https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

    • Known Vulnerable Samples

    PropertyValue
    FilenamePanIO.sys
    Creation Timestamp2014-04-17 03:16:02
    MD59a9dbf5107848c254381be67a4c1b1dd
    SHA1291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb
    SHA256f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960
    Authentihash MD55af91c612918020b1dbc829a040d1c88
    Authentihash SHA1b65163db28ef590620b8966f14ec78fe7788ac6c
    Authentihash SHA256f246b9d22b3ffe15f2e97f306d049020f38ed162150c97d7a72e3ae0b22c79ad
    RichPEHeaderHash MD52e6ea3eb6f48633d555a0e6df8ead1e9
    RichPEHeaderHash SHA1b9921c63b614c38dc908cf1c11b22b78a9c82826
    RichPEHeaderHash SHA256fff270d0855ef3c64f1402738ef13b087b16bb314171df7b034a08e0e68188e1
    CompanyPan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.
    DescriptionTemperature and system information driver
    ProductPanIO Library
    OriginalFilenamePanIO.sys

    Download

    Certificates

    Expand
    Certificate 0400000000012f4ee152d7
    FieldValue
    ToBeSigned (TBS) MD5e140543fe3256027cfa79fc3c19c1776
    ToBeSigned (TBS) SHA1c655f94eb1ecc93de319fc0c9a2dc6c5ec063728
    ToBeSigned (TBS) SHA2563ca71e85908ff67368e4dc00253f5691b9e6d50c966e7784143d75fb92aa3448
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2
    ValidFrom2011-04-13 10:00:00
    ValidTo2028-01-28 12:00:00
    Signature4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012f4ee152d7
    Version3
    Certificate 0400000000012f4ee1355c
    FieldValue
    ToBeSigned (TBS) MD5f6a9e8eb8784f3f694b4e353c08a0ff5
    ToBeSigned (TBS) SHA1589a7d4df869395601ba7538a65afae8c4616385
    ToBeSigned (TBS) SHA256cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2
    ValidFrom2011-04-13 10:00:00
    ValidTo2019-04-13 10:00:00
    Signature225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012f4ee1355c
    Version3
    Certificate 1121405c1f0ed258882be54d8686ba11ea45
    FieldValue
    ToBeSigned (TBS) MD5b95cbc184d388718612d5933f7b36770
    ToBeSigned (TBS) SHA1ff124c5d160710720108616ffee99bbe090ed363
    ToBeSigned (TBS) SHA25613027620255363f07bbf85ae7d0dc06c07d8b0f4368b12f983ee3f4fce605733
    SubjectC=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1
    ValidFrom2013-08-23 00:00:00
    ValidTo2024-09-23 00:00:00
    Signature0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber1121405c1f0ed258882be54d8686ba11ea45
    Version3
    Certificate 1121506480253469e07e54ee8612041fbb92
    FieldValue
    ToBeSigned (TBS) MD5f56d9ee0c69c7569e5c15b486bca6e2e
    ToBeSigned (TBS) SHA1819ca6276ed76625e86bb6def0d45f61d37c8975
    ToBeSigned (TBS) SHA256b3b13c549110379d1141116de140cad748fb8345208cd31eb2443850a529b53b
    SubjectC=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.
    ValidFrom2014-04-15 15:12:40
    ValidTo2015-04-15 10:41:35
    Signature80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber1121506480253469e07e54ee8612041fbb92
    Version3
    Certificate 610b7f6b000000000019
    FieldValue
    ToBeSigned (TBS) MD54798d55be7663a75649cda4dedc686ef
    ToBeSigned (TBS) SHA10f1ab2937b245d9466ea6f9bf056a5942e3989cf
    ToBeSigned (TBS) SHA256ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2006-05-23 17:00:51
    ValidTo2016-05-23 17:10:51
    Signature13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610b7f6b000000000019
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • IoCreateSymbolicLink
    • IofCompleteRequest
    • KeTickCount
    • MmMapIoSpace
    • READ_REGISTER_BUFFER_ULONG
    • READ_REGISTER_BUFFER_USHORT
    • READ_REGISTER_BUFFER_UCHAR
    • MmUnmapIoSpace
    • RtlInitUnicodeString
    • IoDeleteSymbolicLink
    • IoCreateDevice
    • IoDeleteDevice
    • RtlUnwind
    • KeBugCheckEx
    • HalGetBusDataByOffset
    • WRITE_PORT_ULONG
    • WRITE_PORT_USHORT
    • WRITE_PORT_UCHAR
    • READ_PORT_ULONG
    • READ_PORT_USHORT
    • READ_PORT_UCHAR
    • HalSetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "0400000000012f4ee152d7",
      "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2",
      "TBS": {
        "MD5": "e140543fe3256027cfa79fc3c19c1776",
        "SHA1": "c655f94eb1ecc93de319fc0c9a2dc6c5ec063728",
        "SHA256": "3ca71e85908ff67368e4dc00253f5691b9e6d50c966e7784143d75fb92aa3448",
        "SHA384": "d9d366f9328f2b55ee19a32cc5fd5148b81d764282fe5dc196c872ae249caa51d2c212ef39f33945dfe0cda81925e326"
      },
      "ValidFrom": "2011-04-13 10:00:00",
      "ValidTo": "2028-01-28 12:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "0400000000012f4ee1355c",
      "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "TBS": {
        "MD5": "f6a9e8eb8784f3f694b4e353c08a0ff5",
        "SHA1": "589a7d4df869395601ba7538a65afae8c4616385",
        "SHA256": "cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4",
        "SHA384": "dcec542f242317863d0b3d23947e17d6982e381003831777b07ed75b46fb18bd0392a89c9beb6862981cd05f3f2fb77b"
      },
      "ValidFrom": "2011-04-13 10:00:00",
      "ValidTo": "2019-04-13 10:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "1121405c1f0ed258882be54d8686ba11ea45",
      "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1",
      "TBS": {
        "MD5": "b95cbc184d388718612d5933f7b36770",
        "SHA1": "ff124c5d160710720108616ffee99bbe090ed363",
        "SHA256": "13027620255363f07bbf85ae7d0dc06c07d8b0f4368b12f983ee3f4fce605733",
        "SHA384": "f42ed00f615f2822dcd3d33794477428afb52ddab932ebcde3586f92a27e18f9faba6b3334ca4e59e0cb24bdbf8395a6"
      },
      "ValidFrom": "2013-08-23 00:00:00",
      "ValidTo": "2024-09-23 00:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "1121506480253469e07e54ee8612041fbb92",
      "Signature": "80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.",
      "TBS": {
        "MD5": "f56d9ee0c69c7569e5c15b486bca6e2e",
        "SHA1": "819ca6276ed76625e86bb6def0d45f61d37c8975",
        "SHA256": "b3b13c549110379d1141116de140cad748fb8345208cd31eb2443850a529b53b",
        "SHA384": "2f15812fb4c9bba4d8ae7916fa4ffc9ad0a69724d77dc564c89b1e5df3e98b8797b63fcafe68eef9acf1d8817e9988cf"
      },
      "ValidFrom": "2014-04-15 15:12:40",
      "ValidTo": "2015-04-15 10:41:35",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "610b7f6b000000000019",
      "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
      "TBS": {
        "MD5": "4798d55be7663a75649cda4dedc686ef",
        "SHA1": "0f1ab2937b245d9466ea6f9bf056a5942e3989cf",
        "SHA256": "ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1",
        "SHA384": "6e7450a139856aeda6fa6284ff89b3752a9b646e096b4d33dd7e8e727742a2111481531581c0aa2cda0338e22cfdbad3"
      },
      "ValidFrom": "2006-05-23 17:00:51",
      "ValidTo": "2016-05-23 17:10:51",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "SerialNumber": "1121506480253469e07e54ee8612041fbb92",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09