7a7630d6-d007-4d84-a17d-81236d9693e1

d.sys

We were not able to verify the hash of this driver successfully, it has not been confirmed.

Description

d.sys is a vulnerable driver and more information will be added as found.

  • UUID: 7a7630d6-d007-4d84-a17d-81236d9693e1
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create d.sys binPath=C:\windows\temp\d.sys type=kernel && sc.exe start d.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
  • https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

    • Known Vulnerable Samples

    PropertyValue
    Filenamed.sys
    Creation Timestamp2007-06-19 23:46:07
    MD5a60c9173563b940203cf4ad38ccf2082
    SHA1a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0
    SHA256c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8
    Authentihash MD519dd018ebddfa9044b05fbb9ddffd7f9
    Authentihash SHA180111a99c4f127cca12f1902ca241b3e65f339ff
    Authentihash SHA256a4ca4a0932afa09e8df3469768f5ac6feaff2b7ae27ac208a218288fc4fbf102
    RichPEHeaderHash MD5f3e1fc89f2b01c40ea38fc9510166f54
    RichPEHeaderHash SHA1e532da616b3b77c80bdcb3512ea2ed13872d5c52
    RichPEHeaderHash SHA2567e846d33fc8dd8d0efe1e5aab73002ad4d85b7d714cf1740430761c502b839b3

    Download

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • KeInitializeEvent
    • ObReferenceObjectByHandle
    • ZwClose
    • ObfDereferenceObject
    • PsCreateSystemThread
    • IoGetCurrentProcess
    • _stricmp
    • strchr
    • ZwCreateFile
    • RtlInitUnicodeString
    • ZwReadFile
    • ZwQueryInformationFile
    • KeDetachProcess
    • ProbeForRead
    • ZwQueryInformationProcess
    • KeAttachProcess
    • KeLeaveCriticalRegion
    • KeEnterCriticalRegion
    • ObOpenObjectByName
    • KeServiceDescriptorTable
    • KeAddSystemServiceTable
    • PsGetCurrentProcessId
    • ProbeForWrite
    • wcsstr
    • ObQueryNameString
    • IoFileObjectType
    • SeSinglePrivilegeCheck
    • KeGetPreviousMode
    • KeDelayExecutionThread
    • ZwAllocateVirtualMemory
    • ZwQuerySection
    • ExfInterlockedInsertTailList
    • ExFreePoolWithTag
    • sprintf
    • RtlVolumeDeviceToDosName
    • IoGetDeviceObjectPointer
    • MmSectionObjectType
    • strstr
    • _strlwr
    • PsProcessType
    • PsSetCreateProcessNotifyRoutine
    • KeInitializeSpinLock
    • PsThreadType
    • PsTerminateSystemThread
    • vsprintf
    • KeQuerySystemTime
    • ExfInterlockedRemoveHeadList
    • NtBuildNumber
    • ExAllocatePoolWithTag
    • ZwOpenKey
    • ZwEnumerateKey
    • ZwDeleteKey
    • _except_handler3
    • swprintf
    • _wcsnicmp
    • ZwQuerySystemInformation
    • PsLookupProcessByProcessId
    • wcstombs
    • ExAcquireFastMutex
    • ExReleaseFastMutex
    • KfAcquireSpinLock
    • KfReleaseSpinLock

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .reloc

    Signature

    Expand

    source

    last_updated: 2024-04-09