66be9e0a-9246-4404-b5b5-7fbde351668f

BS_I2cIo.sys :inline

Description

BS_I2cIo.sys is a vulnerable driver and more information will be added as found.

  • UUID: 66be9e0a-9246-4404-b5b5-7fbde351668f
  • Created: 2023-05-06
  • Author: Nasreddine Bencherchali
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create BS_I2cIo.sys binPath=C:\windows\temp\BS_I2cIo.sys type=kernel && sc.exe start BS_I2cIo.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • Internal Research

    • Known Vulnerable Samples

    PropertyValue
    FilenameBS_I2cIo.sys
    Creation Timestamp2006-12-11 00:48:39
    MD53c4154866f3d483fdc9f4f64ef868888
    SHA1f7ce71891738a976cd8d4b516c8d7a8e2f6b0ad6
    SHA25642e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb
    Authentihash MD52e6a361506f00fc7de30642776c8d3be
    Authentihash SHA1862fef3d6a6d7488ef4d6f7799ac296cd96256b7
    Authentihash SHA25621af8e034ca42ab24a5d1623f70de9c66eeea63d72aeb0f1846b1e04dbdf4f51
    RichPEHeaderHash MD54ed2618a21b160612d932949de7cc9c1
    RichPEHeaderHash SHA1c8532f6c93c3309ef18d1af84e23974e37c416c9
    RichPEHeaderHash SHA256b6afffab9ad144e0b85cfb4291c424fe49ccb7755d35ecc957a676995d30d30a
    CompanyBIOSTAR Group
    DescriptionI/O Interface driver file
    ProductBIOSTAR I/O driver fle
    OriginalFilenameBS_I2cIo.sys

    Download

    Certificates

    Expand
    Certificate 4191a15a3978dfcf496566381d4c75c2
    FieldValue
    ToBeSigned (TBS) MD541011f8d0e7c7a6408334ca387914c61
    ToBeSigned (TBS) SHA1c7fc1727f5b75a6421a1f95c73bbdb23580c48e5
    ToBeSigned (TBS) SHA25688dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA
    ValidFrom2004-07-16 00:00:00
    ValidTo2014-07-15 23:59:59
    Signatureae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber4191a15a3978dfcf496566381d4c75c2
    Version3
    Certificate 610c120600000000001b
    FieldValue
    ToBeSigned (TBS) MD553c41bc1164e09e0cd1617a5bf913efd
    ToBeSigned (TBS) SHA193c03aac8951d494ecd5696b1c08658541b18727
    ToBeSigned (TBS) SHA25640bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b
    SubjectC=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
    ValidFrom2006-05-23 17:01:29
    ValidTo2016-05-23 17:11:29
    Signature01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610c120600000000001b
    Version3
    Certificate 49a570277854e9481d38e34c081226ee
    FieldValue
    ToBeSigned (TBS) MD527a32ddae1fd74f01b6324484fb5995a
    ToBeSigned (TBS) SHA1d68dfe595f9f0f94672e1a7b876a2987ba81e675
    ToBeSigned (TBS) SHA25666ef4bb0b353d5f97d46898668f3ea82ac36dd6bf50e70b84fa9a19568fec33f
    SubjectC=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP
    ValidFrom2006-09-25 00:00:00
    ValidTo2007-10-20 23:59:59
    Signature0f57cd03d7933c61e5a7149ca948f303376e3d2efe529e8255e98c48ee2dcef4506770eae209c5f308beba1c77ce9a4c0fb27eba18fa8a27911d889259e1064b66028050b2f8dfca9c3cabd33908fdd95cfc71cb64626d108260b629cbeb70d94e12294a00d0f8f040bb05c94d71279e08ce449731bdba08392e11b847d9113ccbef6f585b7f359a33cc5768e1a785c50dc515391d4e14f8123558da7e9890615e275a2348b03e46c7357ec6c0746565851ede90ded73b98607c685c79ab30e8376b5a9b900f9e9047174e6ee8819459ed01243727a9d3bb4fbfb6484a36a0693d17405c4864e60d8fbb39a297fbdf0e7dc593a227ed9929ae05a0cddeb85b26
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber49a570277854e9481d38e34c081226ee
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • KeInitializeEvent
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • ObfDereferenceObject
    • KeWaitForSingleObject
    • ExInterlockedInsertTailList
    • RtlTimeToTimeFields
    • PsTerminateSystemThread
    • ZwWriteFile
    • ExInterlockedRemoveHeadList
    • KeSetPriorityThread
    • ZwCreateFile
    • RtlInitUnicodeString
    • PsCreateSystemThread
    • IoCreateSymbolicLink
    • IoCreateDevice
    • IoDeleteSymbolicLink
    • IoStartNextPacket
    • IoReleaseCancelSpinLock
    • IoAcquireCancelSpinLock
    • MmUnmapIoSpace
    • MmMapIoSpace
    • KeRemoveEntryDeviceQueue
    • IoStartPacket
    • IofCompleteRequest
    • ObReferenceObjectByHandle
    • ZwClose
    • IoDeleteDevice
    • KeSetEvent
    • HalSetBusDataByOffset
    • HalTranslateBusAddress
    • HalGetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "4191a15a3978dfcf496566381d4c75c2",
      "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA",
      "TBS": {
        "MD5": "41011f8d0e7c7a6408334ca387914c61",
        "SHA1": "c7fc1727f5b75a6421a1f95c73bbdb23580c48e5",
        "SHA256": "88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0",
        "SHA384": "a00aa5ed457c41e37967882644d63366bae014f03a986576d8514164d7027acf7d0b5e03d764db2558f60db148954459"
      },
      "ValidFrom": "2004-07-16 00:00:00",
      "ValidTo": "2014-07-15 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "610c120600000000001b",
      "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority",
      "TBS": {
        "MD5": "53c41bc1164e09e0cd1617a5bf913efd",
        "SHA1": "93c03aac8951d494ecd5696b1c08658541b18727",
        "SHA256": "40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b",
        "SHA384": "f51d4e75ba638f7314cd59b8d6d45f3b34d35ce6986e9d205cd6f333e8e8d8e9c91f636e6bc84731b6661673f40963d8"
      },
      "ValidFrom": "2006-05-23 17:01:29",
      "ValidTo": "2016-05-23 17:11:29",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "49a570277854e9481d38e34c081226ee",
      "Signature": "0f57cd03d7933c61e5a7149ca948f303376e3d2efe529e8255e98c48ee2dcef4506770eae209c5f308beba1c77ce9a4c0fb27eba18fa8a27911d889259e1064b66028050b2f8dfca9c3cabd33908fdd95cfc71cb64626d108260b629cbeb70d94e12294a00d0f8f040bb05c94d71279e08ce449731bdba08392e11b847d9113ccbef6f585b7f359a33cc5768e1a785c50dc515391d4e14f8123558da7e9890615e275a2348b03e46c7357ec6c0746565851ede90ded73b98607c685c79ab30e8376b5a9b900f9e9047174e6ee8819459ed01243727a9d3bb4fbfb6484a36a0693d17405c4864e60d8fbb39a297fbdf0e7dc593a227ed9929ae05a0cddeb85b26",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT\u0027L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT\u0027L CORP",
      "TBS": {
        "MD5": "27a32ddae1fd74f01b6324484fb5995a",
        "SHA1": "d68dfe595f9f0f94672e1a7b876a2987ba81e675",
        "SHA256": "66ef4bb0b353d5f97d46898668f3ea82ac36dd6bf50e70b84fa9a19568fec33f",
        "SHA384": "db35c2600ef6f07d526d98a2a67e5bc86d2e18d596d4e0e27a1f28e4fa3f88a46bdb554c99ede8158a74554492c3f4ad"
      },
      "ValidFrom": "2006-09-25 00:00:00",
      "ValidTo": "2007-10-20 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA",
      "SerialNumber": "49a570277854e9481d38e34c081226ee",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09