6fc3034f-8b40-44ef-807a-f61d3ea2dece

NBIOLib_X64.sys :inline

Description

NBIOLib_X64.sys is a vulnerable driver and more information will be added as found.

  • UUID: 6fc3034f-8b40-44ef-807a-f61d3ea2dece
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create NBIOLib_X64.sys binPath=C:\windows\temp\NBIOLib_X64.sys     type=kernel && sc.exe start NBIOLib_X64.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
  • https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

    • Known Vulnerable Samples

    PropertyValue
    FilenameNBIOLib_X64.sys
    Creation Timestamp2015-11-23 23:34:45
    MD5f2f728d2f69765f5dfda913d407783d2
    SHA135829e096a15e559fcbabf3441d99e580ca3b26e
    SHA2563f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5
    Authentihash MD52d87365d63e81ef0edc577bf0cb33995
    Authentihash SHA1b472d32094e258b2af60914db8604cd0bf439c4b
    Authentihash SHA256d33f19a12cd8e8649a56ce2a41e2b56d2ed80f203e5ededc4114c78ef773ffa8
    RichPEHeaderHash MD541ddd08b440611823bc5d8cb732c563d
    RichPEHeaderHash SHA18acdfc9ac988c6250e2a031640f6e169b5fddb73
    RichPEHeaderHash SHA256189683b4db2e68d2f0b3f91f1141907b3887f23991867a68a22389d40ad3634e
    CompanyMSI
    DescriptionNTIOLib
    ProductNTIOLib
    OriginalFilenameNTIOLib.sys

    Download

    Certificates

    Expand
    Certificate 7e93ebfb7cc64e59ea4b9a77d406fc3b
    FieldValue
    ToBeSigned (TBS) MD5d0785ad36e427c92b19f6826ab1e8020
    ToBeSigned (TBS) SHA1365b7a9c21bd9373e49052c3e7b3e4646ddd4d43
    ToBeSigned (TBS) SHA256c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2
    ValidFrom2012-12-21 00:00:00
    ValidTo2020-12-30 23:59:59
    Signature03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber7e93ebfb7cc64e59ea4b9a77d406fc3b
    Version3
    Certificate 0400000000012f4ee1355c
    FieldValue
    ToBeSigned (TBS) MD5f6a9e8eb8784f3f694b4e353c08a0ff5
    ToBeSigned (TBS) SHA1589a7d4df869395601ba7538a65afae8c4616385
    ToBeSigned (TBS) SHA256cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2
    ValidFrom2011-04-13 10:00:00
    ValidTo2019-04-13 10:00:00
    Signature225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012f4ee1355c
    Version3
    Certificate 0ecff438c8febf356e04d86a981b1a50
    FieldValue
    ToBeSigned (TBS) MD5e9d38360b914c8863f6cba3ee58764d3
    ToBeSigned (TBS) SHA14cba8eae47b6bf76f20b3504b98b8f062694a89b
    ToBeSigned (TBS) SHA25688901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4
    ValidFrom2012-10-18 00:00:00
    ValidTo2020-12-29 23:59:59
    Signature783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0ecff438c8febf356e04d86a981b1a50
    Version3
    Certificate 6129152700000000002a
    FieldValue
    ToBeSigned (TBS) MD50bb058d116f02817737920f112d9fd3b
    ToBeSigned (TBS) SHA1fd116235171a4feafedee586b7a59185fb5fd7e6
    ToBeSigned (TBS) SHA256f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2011-04-15 19:55:08
    ValidTo2021-04-15 20:05:08
    Signature5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber6129152700000000002a
    Version3
    Certificate 112158044863e4dc19cf29a85668b7f45842
    FieldValue
    ToBeSigned (TBS) MD5403bb44a62aed1a94bd5df05b3292482
    ToBeSigned (TBS) SHA1e4a0353e75940ab1e8cbff2f433f186c7f0b0f09
    ToBeSigned (TBS) SHA2565b81998ed98b343c04134c336e03f3051779eae0e9f882e8339593d18556375d
    SubjectC=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.
    ValidFrom2014-06-03 09:16:15
    ValidTo2017-09-03 09:16:15
    Signature8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber112158044863e4dc19cf29a85668b7f45842
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • MmUnmapIoSpace
    • MmMapIoSpace
    • IofCompleteRequest
    • IoDeleteDevice
    • IoCreateDevice
    • KeBugCheckEx
    • RtlInitUnicodeString
    • IoCreateSymbolicLink
    • IoDeleteSymbolicLink
    • __C_specific_handler
    • HalSetBusDataByOffset
    • HalGetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "7e93ebfb7cc64e59ea4b9a77d406fc3b",
      "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2",
      "TBS": {
        "MD5": "d0785ad36e427c92b19f6826ab1e8020",
        "SHA1": "365b7a9c21bd9373e49052c3e7b3e4646ddd4d43",
        "SHA256": "c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff",
        "SHA384": "eab4fe5ef90e0de4a6aa3a27769a5e879f588df5e4785aa4104debd1f81e19ea56d33e3a16e5facf99f68b5d8e3d287b"
      },
      "ValidFrom": "2012-12-21 00:00:00",
      "ValidTo": "2020-12-30 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "0400000000012f4ee1355c",
      "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "TBS": {
        "MD5": "f6a9e8eb8784f3f694b4e353c08a0ff5",
        "SHA1": "589a7d4df869395601ba7538a65afae8c4616385",
        "SHA256": "cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4",
        "SHA384": "dcec542f242317863d0b3d23947e17d6982e381003831777b07ed75b46fb18bd0392a89c9beb6862981cd05f3f2fb77b"
      },
      "ValidFrom": "2011-04-13 10:00:00",
      "ValidTo": "2019-04-13 10:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0ecff438c8febf356e04d86a981b1a50",
      "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4",
      "TBS": {
        "MD5": "e9d38360b914c8863f6cba3ee58764d3",
        "SHA1": "4cba8eae47b6bf76f20b3504b98b8f062694a89b",
        "SHA256": "88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976",
        "SHA384": "e9f2a75334a9e336c5a4712eadee88d0374b0fdc273262f4e65c9040ad2793067cc076696db5279a478773485e285652"
      },
      "ValidFrom": "2012-10-18 00:00:00",
      "ValidTo": "2020-12-29 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "6129152700000000002a",
      "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
      "TBS": {
        "MD5": "0bb058d116f02817737920f112d9fd3b",
        "SHA1": "fd116235171a4feafedee586b7a59185fb5fd7e6",
        "SHA256": "f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4",
        "SHA384": "c0df876be008c26ca407fe904e6f5e7ccded17f9c16830ce9f8022309c9e64c97f494810f152811ae43e223b82ad7cc6"
      },
      "ValidFrom": "2011-04-15 19:55:08",
      "ValidTo": "2021-04-15 20:05:08",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "112158044863e4dc19cf29a85668b7f45842",
      "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.",
      "TBS": {
        "MD5": "403bb44a62aed1a94bd5df05b3292482",
        "SHA1": "e4a0353e75940ab1e8cbff2f433f186c7f0b0f09",
        "SHA256": "5b81998ed98b343c04134c336e03f3051779eae0e9f882e8339593d18556375d",
        "SHA384": "db0076cad41a0ef4ea68754ef6905bd5ff772adcb745b05c0060344e43588abc95952dc3ad272f5a8f17b206e4089aca"
      },
      "ValidFrom": "2014-06-03 09:16:15",
      "ValidTo": "2017-09-03 09:16:15",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "SerialNumber": "112158044863e4dc19cf29a85668b7f45842",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09