ca768fc5-9b5c-4ced-90ab-fd6be9a70199

amp.sys :inline

Description

amp.sys is a vulnerable driver and more information will be added as found.

  • UUID: ca768fc5-9b5c-4ced-90ab-fd6be9a70199
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create amp.sys binPath=C:\windows\temp\amp.sys type=kernel && sc.exe start amp.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c
  • https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c

  • Known Vulnerable Samples

    PropertyValue
    Filenameamp.sys
    Creation Timestamp2014-03-25 13:59:30
    MD5c533d6d64b474ffc3169a0e0fc0a701a
    SHA13f223581409492172a1e875f130f3485b90fbe5f
    SHA256cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6
    Authentihash MD574ee74d20c3afc42d7722a88aacf3671
    Authentihash SHA187a84133f5e4c12d2d4a42fcc3be84b43a6202b5
    Authentihash SHA256a37371c4e62f106e7da03fd5bdd6f12ecdf7fcaf1195dbf9fb7ef6eb456a7506
    RichPEHeaderHash MD5593d089f4c58f69bf9a55187183311c5
    RichPEHeaderHash SHA144ca4aa0f7d23e93513678acc2cd2adc598e8ffb
    RichPEHeaderHash SHA256760adc6081dcffb04db56b93951995c42ff320cccf993fc11bca93786a57ad41
    CompanyCYREN Inc.
    DescriptionAMP Minifilter
    ProductCYREN AMP 5
    OriginalFilenameamp.sys

    Download

    Certificates

    Expand
    Certificate 7e93ebfb7cc64e59ea4b9a77d406fc3b
    FieldValue
    ToBeSigned (TBS) MD5d0785ad36e427c92b19f6826ab1e8020
    ToBeSigned (TBS) SHA1365b7a9c21bd9373e49052c3e7b3e4646ddd4d43
    ToBeSigned (TBS) SHA256c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2
    ValidFrom2012-12-21 00:00:00
    ValidTo2020-12-30 23:59:59
    Signature03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber7e93ebfb7cc64e59ea4b9a77d406fc3b
    Version3
    Certificate 0ecff438c8febf356e04d86a981b1a50
    FieldValue
    ToBeSigned (TBS) MD5e9d38360b914c8863f6cba3ee58764d3
    ToBeSigned (TBS) SHA14cba8eae47b6bf76f20b3504b98b8f062694a89b
    ToBeSigned (TBS) SHA25688901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4
    ValidFrom2012-10-18 00:00:00
    ValidTo2020-12-29 23:59:59
    Signature783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0ecff438c8febf356e04d86a981b1a50
    Version3
    Certificate 4d6290e58c54f0f1eb17341a1310e6a4
    FieldValue
    ToBeSigned (TBS) MD5b7d8444a70054990435f35a5630df5e1
    ToBeSigned (TBS) SHA14678c6e4a8787a8e6ed2bce8792b122f6c08afd8
    ToBeSigned (TBS) SHA2560a8b4b359ea7890b358e56e436e9cfc6f32b037b2599b597ca7f7a80d475ec98
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
    ValidFrom2010-09-30 00:00:00
    ValidTo2014-01-01 23:59:59
    Signatureaedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber4d6290e58c54f0f1eb17341a1310e6a4
    Version3
    Certificate 610c120600000000001b
    FieldValue
    ToBeSigned (TBS) MD553c41bc1164e09e0cd1617a5bf913efd
    ToBeSigned (TBS) SHA193c03aac8951d494ecd5696b1c08658541b18727
    ToBeSigned (TBS) SHA25640bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b
    SubjectC=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
    ValidFrom2006-05-23 17:01:29
    ValidTo2016-05-23 17:11:29
    Signature01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610c120600000000001b
    Version3
    Certificate 560e308d590a10d941619020e45e2c2b
    FieldValue
    ToBeSigned (TBS) MD51c70d34387d8008dfcb38b42d3ed1d80
    ToBeSigned (TBS) SHA16128f04efd947c44e0e9034b1bbe07f37ae95f25
    ToBeSigned (TBS) SHA2562cb1aa769c3e20eb26e5fa0af9df27311608c0a59515fef0f0e1ef05410b2d05
    SubjectC=US, ST=Virginia, L=McLean, O=Commtouch, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=R&D, CN=Commtouch, Inc.
    ValidFrom2013-11-19 00:00:00
    ValidTo2017-01-16 23:59:59
    Signature58cd58fb0b58e291fe4896a360334f4ad8fdf84720dc356ce98f8f3e45dc0447c7223f75d55c2444202d455e7d282da1d189794fd4e2f499c7c55d98f0aecb3d0ef9b6dd1dff2f125e9d39ce95fb542c8f02d275176fc6da9a493427d018083d5852c13bf8b2908041af46b113f403bb93d6006ea0a0ff2ae7d648ed4280ed1cb4999203fc94832725928af6cb715395bd69bb6ce888efb9a658a15cf88b68de26957f49bb3cdbdb8f6d88cc91ac2c14f0500815e41f977b9cf55a173961bc8c02343b76a91a8e9dd3224329a3bb70d694ca497460aa6360d1f156f5d9fad8d54e846f171c1b5a30b713ba17296ffc75fdbc4b7f13efe4cdabae8769ce0e5609
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber560e308d590a10d941619020e45e2c2b
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • FLTMGR.SYS

    Imported Functions

    Expand
    • ObfDereferenceObject
    • ObQueryNameString
    • RtlIntegerToUnicodeString
    • IoGetCurrentProcess
    • _strnicmp
    • MmIsAddressValid
    • _strupr
    • MmGetSystemRoutineAddress
    • PsGetVersion
    • ExInitializeResourceLite
    • ExDeleteResourceLite
    • KeEnterCriticalRegion
    • ExAcquireResourceSharedLite
    • ExReleaseResourceForThreadLite
    • KeLeaveCriticalRegion
    • ExAcquireResourceExclusiveLite
    • wcschr
    • wcsrchr
    • ZwQueryInformationFile
    • ZwSetInformationFile
    • ZwReadFile
    • ZwWriteFile
    • ExUuidCreate
    • ObReferenceObjectByHandle
    • _wcsupr
    • wcsncmp
    • IoGetTopLevelIrp
    • IoSetTopLevelIrp
    • IoGetStackLimits
    • ObfReferenceObject
    • ZwOpenDirectoryObject
    • ZwOpenSymbolicLinkObject
    • ZwQuerySymbolicLinkObject
    • RtlFreeUnicodeString
    • KeSetEvent
    • RtlTimeToTimeFields
    • swprintf
    • _wcsicmp
    • ExSystemTimeToLocalTime
    • KeWaitForMultipleObjects
    • KeResetEvent
    • PsTerminateSystemThread
    • PsGetCurrentProcessId
    • wcsncpy
    • PsCreateSystemThread
    • PsGetCurrentThreadId
    • ZwOpenProcess
    • ZwQueryInformationProcess
    • IoAllocateErrorLogEntry
    • IoWriteErrorLogEntry
    • IoAllocateWorkItem
    • IoQueueWorkItem
    • IoFreeWorkItem
    • ExReleaseResourceLite
    • ZwCreateKey
    • ZwSetValueKey
    • ZwQueryValueKey
    • RtlInitAnsiString
    • RtlAnsiStringToUnicodeString
    • RtlUnicodeStringToAnsiString
    • RtlCopyUnicodeString
    • IoGetDeviceObjectPointer
    • IoBuildDeviceIoControlRequest
    • KeWaitForSingleObject
    • IofCallDriver
    • KeInitializeEvent
    • RtlCompareString
    • RtlInitString
    • ExAllocatePoolWithTag
    • KeDelayExecutionThread
    • IofCompleteRequest
    • IoIs32bitProcess
    • ZwLoadDriver
    • ZwUnloadDriver
    • RtlInitUnicodeString
    • IoCreateSymbolicLink
    • IoCreateDevice
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • ZwClose
    • ExAllocatePool
    • ZwCreateFile
    • ExFreePool
    • RtlUnicodeStringToInteger
    • strncmp
    • _wcsnicmp
    • strchr
    • KeReleaseSpinLock
    • KeAcquireSpinLockRaiseToDpc
    • ExInitializeNPagedLookasideList
    • ExpInterlockedPushEntrySList
    • ExpInterlockedPopEntrySList
    • ExDeletePagedLookasideList
    • ExQueryDepthSList
    • ExInitializePagedLookasideList
    • ExDeleteNPagedLookasideList
    • __C_specific_handler
    • _local_unwind
    • FltGetVolumeFromInstance
    • FltSetCallbackDataDirty
    • FltGetFileNameInformation
    • FltReleaseFileNameInformation
    • FltGetVolumeProperties
    • FltStartFiltering
    • FltRegisterFilter
    • FltGetRoutineAddress
    • FltGetDiskDeviceObject
    • FltUnregisterFilter
    • FltGetTunneledName
    • FltGetDestinationFileNameInformation
    • FltGetStreamHandleContext
    • FltSetStreamHandleContext
    • FltCancelFileOpen
    • FltCreateFile
    • FltObjectReference
    • FltReleaseContext
    • FltSetInstanceContext
    • FltAllocateContext
    • FltGetInstanceContext
    • FltEnumerateInstances
    • FltGetVolumeFromName
    • FltObjectDereference
    • FltGetFileNameInformationUnsafe
    • FltQueryInformationFile
    • FltClose
    • FltFlushBuffers

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "7e93ebfb7cc64e59ea4b9a77d406fc3b",
          "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2",
          "TBS": {
            "MD5": "d0785ad36e427c92b19f6826ab1e8020",
            "SHA1": "365b7a9c21bd9373e49052c3e7b3e4646ddd4d43",
            "SHA256": "c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff",
            "SHA384": "eab4fe5ef90e0de4a6aa3a27769a5e879f588df5e4785aa4104debd1f81e19ea56d33e3a16e5facf99f68b5d8e3d287b"
          },
          "ValidFrom": "2012-12-21 00:00:00",
          "ValidTo": "2020-12-30 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "0ecff438c8febf356e04d86a981b1a50",
          "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4",
          "TBS": {
            "MD5": "e9d38360b914c8863f6cba3ee58764d3",
            "SHA1": "4cba8eae47b6bf76f20b3504b98b8f062694a89b",
            "SHA256": "88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976",
            "SHA384": "e9f2a75334a9e336c5a4712eadee88d0374b0fdc273262f4e65c9040ad2793067cc076696db5279a478773485e285652"
          },
          "ValidFrom": "2012-10-18 00:00:00",
          "ValidTo": "2020-12-29 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "4d6290e58c54f0f1eb17341a1310e6a4",
          "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
          "TBS": {
            "MD5": "b7d8444a70054990435f35a5630df5e1",
            "SHA1": "4678c6e4a8787a8e6ed2bce8792b122f6c08afd8",
            "SHA256": "0a8b4b359ea7890b358e56e436e9cfc6f32b037b2599b597ca7f7a80d475ec98",
            "SHA384": "ab21ee23bcdcf6f6066fb964d61467419ca8c0f3ad0b3fa2be4db6ed6af1cdff066b27d1988551c75836f22eddffef1f"
          },
          "ValidFrom": "2010-09-30 00:00:00",
          "ValidTo": "2014-01-01 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "610c120600000000001b",
          "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority",
          "TBS": {
            "MD5": "53c41bc1164e09e0cd1617a5bf913efd",
            "SHA1": "93c03aac8951d494ecd5696b1c08658541b18727",
            "SHA256": "40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b",
            "SHA384": "f51d4e75ba638f7314cd59b8d6d45f3b34d35ce6986e9d205cd6f333e8e8d8e9c91f636e6bc84731b6661673f40963d8"
          },
          "ValidFrom": "2006-05-23 17:01:29",
          "ValidTo": "2016-05-23 17:11:29",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "560e308d590a10d941619020e45e2c2b",
          "Signature": "58cd58fb0b58e291fe4896a360334f4ad8fdf84720dc356ce98f8f3e45dc0447c7223f75d55c2444202d455e7d282da1d189794fd4e2f499c7c55d98f0aecb3d0ef9b6dd1dff2f125e9d39ce95fb542c8f02d275176fc6da9a493427d018083d5852c13bf8b2908041af46b113f403bb93d6006ea0a0ff2ae7d648ed4280ed1cb4999203fc94832725928af6cb715395bd69bb6ce888efb9a658a15cf88b68de26957f49bb3cdbdb8f6d88cc91ac2c14f0500815e41f977b9cf55a173961bc8c02343b76a91a8e9dd3224329a3bb70d694ca497460aa6360d1f156f5d9fad8d54e846f171c1b5a30b713ba17296ffc75fdbc4b7f13efe4cdabae8769ce0e5609",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, ST=Virginia, L=McLean, O=Commtouch, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=R\u0026D, CN=Commtouch, Inc.",
          "TBS": {
            "MD5": "1c70d34387d8008dfcb38b42d3ed1d80",
            "SHA1": "6128f04efd947c44e0e9034b1bbe07f37ae95f25",
            "SHA256": "2cb1aa769c3e20eb26e5fa0af9df27311608c0a59515fef0f0e1ef05410b2d05",
            "SHA384": "b81d9e3728205cda6d19fde8388a35856915252624618a0e235014f81c3efa3de9317885a9236616a9d776f8b1a63da3"
          },
          "ValidFrom": "2013-11-19 00:00:00",
          "ValidTo": "2017-01-16 23:59:59",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
          "SerialNumber": "560e308d590a10d941619020e45e2c2b",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2024-03-28