e0e93453-1007-4799-ad02-9b461b7e0398

truesight.sys :inline

Description

This is a C# AV/EDR Killer using Rogue Anti-Malware Driver 3.3. This driver is not present in the loldrivers or Windows blocklist at the time of this writing. The only reason I'm making this public is because the company has already published a fix in version 3.4, and Microsoft will likely block this driver soon. This driver can be used in Windows 23H2 with HVCI enabled, loldrivers blocklist, or WDAC enabled. HVCI is designed to ensure the integrity of code executed in the kernel, but it cannot protect against all possible vulnerabilities or actions that can be performed through drivers or system interfaces.

  • UUID: e0e93453-1007-4799-ad02-9b461b7e0398
  • Created: 2023-11-10
  • Author: ph4nt0mbyt3, Michael Haag

Download

This download link contains the vulnerable driver!

Block truesight.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create truesight.sys binPath=C:\windows\temp\truesight.sys type=kernel && sc.exe start truesight.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/ph4nt0mbyt3/Darkside

    • Known Vulnerable Samples

    PropertyValue
    FilenameTruesight
    Creation Timestamp2023-08-29 06:07:25
    MD5f53fa44c7b591a2be105344790543369
    SHA1363068731e87bcee19ad5cb802e14f9248465d31
    SHA256bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c
    Authentihash MD57ac40b0bee0d9b6e84d58d567e82e736
    Authentihash SHA113c6de4203098a8017a0bd4c4da98f6d547482bb
    Authentihash SHA256891ad430e7f1d58ef85b437505a6016fa99a72abcfd4734476efc5fc1fcd1cba
    RichPEHeaderHash MD52aa941242ce069665648272f38f01e61
    RichPEHeaderHash SHA127a430c07c51453e908a94ae3e2640dc733030e3
    RichPEHeaderHash SHA25678b94bc1db7ed451dff0467fac7a5e568a1d35f9cabcffbdb4690c13719861bb
    CompanyAdlice Software
    DescriptionRogueKiller Antirootkit Driver
    ProductTruesight
    OriginalFilenameTruesight

    Download

    Certificates

    Expand
    Certificate 48fc93b46055948d36a7c98a89d69416
    FieldValue
    ToBeSigned (TBS) MD5207045ce7b7ab131e78e459b13825902
    ToBeSigned (TBS) SHA1bcf7530a1ab309fb1926cb720f9fd58cff1cb88f
    ToBeSigned (TBS) SHA2560f31a4237992e1ea623baf4c29480afb6d913e10f1fb1d56bb56f5b03fbff13b
    SubjectC=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root R46
    ValidFrom2021-05-25 00:00:00
    ValidTo2028-12-31 23:59:59
    Signature12bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber48fc93b46055948d36a7c98a89d69416
    Version3
    Certificate 33d708a891405319e2a5bbd339b9ad6e
    FieldValue
    ToBeSigned (TBS) MD5b81404c775a2621debdb7825b87b8316
    ToBeSigned (TBS) SHA147ae94067c3c59b13605192288705db7b52f3685
    ToBeSigned (TBS) SHA2569893b35b3dcefe53d8d24b887569dfe21f9aef27bd57b61c06fcf7438b89c33a
    SubjectC=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36
    ValidFrom2021-03-22 00:00:00
    ValidTo2036-03-21 23:59:59
    Signature5f36acfbf9f6725a14b7f00b1dded8fd9701d2fd01ee992d86e8f6b7f039ffd6814a5aa7424a0a2d159de694fdc5694ab2d74bf116124cf6be9066658b2d74d4ab08f76a110308777cbe69e1b0db9f248903d6de5ca4e0b2d6b4cfe338d5b96dcc27d6ce6411e8107276d3f9e0e92c89e949d3b39796060ae1f60ac8419a915d81d8367798ca804197a8f8913f639faacd54544b80eaf51766d39471fd9efd4731e3e91a861dd3be20d23fb1525fb293bd8c950998728f9501f49843a54afb1426aa9d36bf72b0fcdcbd840deced34a85e952b3816630575d9f6312e156be294b22ad27435b5989aa3fef82b2fb6174b276c5ae6b9765eda86ddab64d66aea8318881b3182f588b39425c0212f086902e34cbb4c2a1130eb817906e141952ad420f60b93e47c760c9d1d266b5f8401f62a99cdafdec7f0e418a24e9b2f2a0c66a6927526bed94035136faea6371a7ae8ad1c5163072a56066ced7e18f6e3ec6473a66d08368baf0f99ae756b172bc24d6ac351464156e98fc28dff13719bdaed9ed39fabe545a612c5145a524197a3060008c5e61cea27823c3bdbe646c4ef2d003513cd367d9de5aa270805cccec0360e4b194fd0639a6dbfc529533122db75507786d0f2f86aee6b061b3e85232b97c87e7a99410cdd587f0ea8c3123d3a359be09d2c8c17815444a87a1d989d967f5958a65465ff51420bf847ebcff8e5bf
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber33d708a891405319e2a5bbd339b9ad6e
    Version3
    Certificate 169d2c94309c0380414bcfdd93a6b27d
    FieldValue
    ToBeSigned (TBS) MD5c35e4c3a6f6e5f166c542006132f8c91
    ToBeSigned (TBS) SHA13a3f2daf6898839dd0cf73f3783501106997865a
    ToBeSigned (TBS) SHA256781c89d3ef2b94bd13394987cc7e7885e3ed34ed39690cf0afb8d650d509ca80
    SubjectserialNumber=793 308 925 00023, ??=FR, ??=Business Entity, C=FR, ST=Loire,Atlantique, O=ADLICE (Julien Ascoet), CN=ADLICE (Julien Ascoet)
    ValidFrom2023-08-15 00:00:00
    ValidTo2024-08-14 23:59:59
    Signature04f4980a1b9a8fb8a438ee112ac21f74a5c9bf55f89a5f062d396b5d22d1cd7b9dbf6b7996f55adaef68f86a07ce3ba651b9dc153405b3549e1c9617ab2c46ca7d9abd3afe0ef122d6d3ac1fff593df06e036c61a28ff898c8e75bd98d9298601052d8e0f70c663bbdf70434d136fffe0967e3eb7a4cb0b05a0f00f69b2db92ab1bf86c26b27a0de569625474be0e7b2702416d469fa1a672396143f3c4fdc2d2138ae6eb432ce2fef6f383e568c522c21bb8ffe7869443944e389dd45a86ea31e975656ad549e2234a722419feaf5c00a021a403db34c43b55567a63ab4ad4654931c9ebb8405476c1fc3f350086717b25682a299af26b422682ba1c91da04d4f4dd10104d212947d6b5dd0a5823cb4457f81f14cd634de20b7befe1d6b5720ca2a54fb093bcf48742bbd35eff947e761da2afcef3ef49c4ceef3890a49e14219a1c7c519b363b2260247b8e5a718ed7bc3ba6d35c7f67782602168f4fc4fc96cb94f8669147e071a4d06b591ba9ba50689477df97f3d6cccdcf809f8ef4ced
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber169d2c94309c0380414bcfdd93a6b27d
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • ExFreePoolWithTag
    • RtlInitUnicodeString
    • RtlGetVersion
    • IofCompleteRequest
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • __C_specific_handler
    • MmGetSystemRoutineAddress
    • ZwClose
    • ZwSetSecurityObject
    • IoDeviceObjectType
    • IoCreateDevice
    • ObOpenObjectByPointer
    • RtlGetDaclSecurityDescriptor
    • RtlGetGroupSecurityDescriptor
    • RtlGetOwnerSecurityDescriptor
    • RtlGetSaclSecurityDescriptor
    • SeCaptureSecurityDescriptor
    • _snwprintf
    • RtlLengthSecurityDescriptor
    • SeExports
    • RtlCreateSecurityDescriptor
    • _wcsnicmp
    • ExAllocatePoolWithTag
    • wcschr
    • RtlAbsoluteToSelfRelativeSD
    • RtlAddAccessAllowedAce
    • RtlLengthSid
    • IoIsWdmVersionAvailable
    • RtlSetDaclSecurityDescriptor
    • ZwOpenKey
    • ZwSetValueKey
    • ZwQueryValueKey
    • ZwCreateKey
    • RtlFreeUnicodeString
    • KeInitializeEvent
    • KeResetEvent
    • KeSetEvent
    • KeWaitForSingleObject
    • ObfDereferenceObject
    • PsGetCurrentThreadId
    • RtlCaptureStackBackTrace
    • PsLookupThreadByThreadId
    • KeInitializeApc
    • KeInsertQueueApc
    • _wcsicmp
    • IoGetDeviceObjectPointer
    • ObReferenceObjectByHandle
    • MmIsAddressValid
    • ObQueryNameString
    • ZwOpenDirectoryObject
    • ZwQueryDirectoryObject
    • ObOpenObjectByName
    • IoDriverObjectType
    • ZwTerminateProcess
    • ZwOpenProcess
    • ZwQuerySystemInformation
    • ZwDeleteKey
    • ZwEnumerateKey
    • ZwQueryKey
    • IoAllocateIrp
    • IofCallDriver
    • IoCreateFile
    • IoFreeIrp
    • IoGetRelatedDeviceObject
    • IoGetAttachedDevice
    • IoFileObjectType
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmMapLockedPagesSpecifyCache
    • IoAllocateMdl
    • IoFreeMdl
    • KeBugCheckEx

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "48fc93b46055948d36a7c98a89d69416",
      "Signature": "12bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root R46",
      "TBS": {
        "MD5": "207045ce7b7ab131e78e459b13825902",
        "SHA1": "bcf7530a1ab309fb1926cb720f9fd58cff1cb88f",
        "SHA256": "0f31a4237992e1ea623baf4c29480afb6d913e10f1fb1d56bb56f5b03fbff13b",
        "SHA384": "a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a4"
      },
      "ValidFrom": "2021-05-25 00:00:00",
      "ValidTo": "2028-12-31 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "33d708a891405319e2a5bbd339b9ad6e",
      "Signature": "5f36acfbf9f6725a14b7f00b1dded8fd9701d2fd01ee992d86e8f6b7f039ffd6814a5aa7424a0a2d159de694fdc5694ab2d74bf116124cf6be9066658b2d74d4ab08f76a110308777cbe69e1b0db9f248903d6de5ca4e0b2d6b4cfe338d5b96dcc27d6ce6411e8107276d3f9e0e92c89e949d3b39796060ae1f60ac8419a915d81d8367798ca804197a8f8913f639faacd54544b80eaf51766d39471fd9efd4731e3e91a861dd3be20d23fb1525fb293bd8c950998728f9501f49843a54afb1426aa9d36bf72b0fcdcbd840deced34a85e952b3816630575d9f6312e156be294b22ad27435b5989aa3fef82b2fb6174b276c5ae6b9765eda86ddab64d66aea8318881b3182f588b39425c0212f086902e34cbb4c2a1130eb817906e141952ad420f60b93e47c760c9d1d266b5f8401f62a99cdafdec7f0e418a24e9b2f2a0c66a6927526bed94035136faea6371a7ae8ad1c5163072a56066ced7e18f6e3ec6473a66d08368baf0f99ae756b172bc24d6ac351464156e98fc28dff13719bdaed9ed39fabe545a612c5145a524197a3060008c5e61cea27823c3bdbe646c4ef2d003513cd367d9de5aa270805cccec0360e4b194fd0639a6dbfc529533122db75507786d0f2f86aee6b061b3e85232b97c87e7a99410cdd587f0ea8c3123d3a359be09d2c8c17815444a87a1d989d967f5958a65465ff51420bf847ebcff8e5bf",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36",
      "TBS": {
        "MD5": "b81404c775a2621debdb7825b87b8316",
        "SHA1": "47ae94067c3c59b13605192288705db7b52f3685",
        "SHA256": "9893b35b3dcefe53d8d24b887569dfe21f9aef27bd57b61c06fcf7438b89c33a",
        "SHA384": "f55821c081b58e86eaa202923e715e1524c422c7be0469b13a9e7a319e50d70cb5b67e864273029a79250f9dc3203cbd"
      },
      "ValidFrom": "2021-03-22 00:00:00",
      "ValidTo": "2036-03-21 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "169d2c94309c0380414bcfdd93a6b27d",
      "Signature": "04f4980a1b9a8fb8a438ee112ac21f74a5c9bf55f89a5f062d396b5d22d1cd7b9dbf6b7996f55adaef68f86a07ce3ba651b9dc153405b3549e1c9617ab2c46ca7d9abd3afe0ef122d6d3ac1fff593df06e036c61a28ff898c8e75bd98d9298601052d8e0f70c663bbdf70434d136fffe0967e3eb7a4cb0b05a0f00f69b2db92ab1bf86c26b27a0de569625474be0e7b2702416d469fa1a672396143f3c4fdc2d2138ae6eb432ce2fef6f383e568c522c21bb8ffe7869443944e389dd45a86ea31e975656ad549e2234a722419feaf5c00a021a403db34c43b55567a63ab4ad4654931c9ebb8405476c1fc3f350086717b25682a299af26b422682ba1c91da04d4f4dd10104d212947d6b5dd0a5823cb4457f81f14cd634de20b7befe1d6b5720ca2a54fb093bcf48742bbd35eff947e761da2afcef3ef49c4ceef3890a49e14219a1c7c519b363b2260247b8e5a718ed7bc3ba6d35c7f67782602168f4fc4fc96cb94f8669147e071a4d06b591ba9ba50689477df97f3d6cccdcf809f8ef4ced",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "serialNumber=793 308 925 00023, ??=FR, ??=Business Entity, C=FR, ST=Loire,Atlantique, O=ADLICE (Julien Ascoet), CN=ADLICE (Julien Ascoet)",
      "TBS": {
        "MD5": "c35e4c3a6f6e5f166c542006132f8c91",
        "SHA1": "3a3f2daf6898839dd0cf73f3783501106997865a",
        "SHA256": "781c89d3ef2b94bd13394987cc7e7885e3ed34ed39690cf0afb8d650d509ca80",
        "SHA384": "8f67b3ca1c1cddb236503ef87f52d7ac52e52d1b3c75c91a49709b8ca54487cadd7464dd23568b19413643bfedd69299"
      },
      "ValidFrom": "2023-08-15 00:00:00",
      "ValidTo": "2024-08-14 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36",
      "SerialNumber": "169d2c94309c0380414bcfdd93a6b27d",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}
    PropertyValue
    FilenameTruesight
    Creation Timestamp2014-12-04 12:36:12
    MD5531121e7ed50084b493a69f8f8a7a927
    SHA128c37b1c0af4a2a75a9662544fb3181a71c45dd2
    SHA256bfbfcb7cae421739163e7630865009d3197f587265e9e5797142d93e1b72b191
    Authentihash MD5e500e54b63b017a00fddcc37a6d47a90
    Authentihash SHA179573b1d088101b2ebea80da1ab2dbb83725336a
    Authentihash SHA25613a64ee87e5e407cb592026b7d0bed501a2ae5bfaa33312d89e0f62fe4278828
    RichPEHeaderHash MD5a6c1f42a8235df4fdeca277b0de64953
    RichPEHeaderHash SHA1725ef7e2e32e5bb3967731cbd53e3c389f952aff
    RichPEHeaderHash SHA256fc4499c41e1a142b40d14a0028e422248600741a7f6902df2a06aa4a05c129fe
    CompanyAdlice Software
    DescriptionAntirootkit module
    ProductTruesight
    OriginalFilenameTruesight

    Download

    Certificates

    Expand
    Certificate 0da5be52ad798cf036b2b2322ff0f774
    FieldValue
    ToBeSigned (TBS) MD571b84e8a2695ca99a1fcf2246051b7ee
    ToBeSigned (TBS) SHA1cf5993cd8054d6190ba44a3f05b2d0921899ca08
    ToBeSigned (TBS) SHA256d0c8fd4b3cc1b744a67c131a49e03831cf30884ff54b03308dd1fed4354465c7
    SubjectC=FR, ST=Loire Atlantique, L=Orvault, O=Adlice, CN=Adlice
    ValidFrom2014-06-17 00:00:00
    ValidTo2015-06-22 12:00:00
    Signatureab003b79f4255d9aca48b450b1d8326306a4641de1c4a8f01a2d9e62daacc5a741d44371e1a529d0f97e3d02da65cd0f6ba70081e636fd025aacafb53d6f7ed8e6d7854e5442ebb642b97415b25df1852a1f5667dc732f5eef2dea21863e40e32dc809bf0b098260352d7babf9f90e0cf3a6e6c8d93377d1829c94deb2c84757a5e1ed914bf0ca4e08567a68bf3c8a3bbc9701220b621c68f61e9fcd38aafeaa6facbb5cb6194f24f6bbbc6354616a77d39a16018ec2c8ffd6042f22291140c03d57b32351a652d2a83817236089e0ab9a7c31715ca37583e383536ceea934f3cdbff211abaf61ba3fe0c6eba9a86b11000124d6b4d8d16d5a97764f955a7771
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0da5be52ad798cf036b2b2322ff0f774
    Version3
    Certificate 61204db4000000000027
    FieldValue
    ToBeSigned (TBS) MD58e3ffc222fbcebdbb8b23115ab259be7
    ToBeSigned (TBS) SHA1ee20bff28ffe13be731c294c90d6ded5aae0ec0e
    ToBeSigned (TBS) SHA25659826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
    ValidFrom2011-04-15 19:45:33
    ValidTo2021-04-15 19:55:33
    Signature208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber61204db4000000000027
    Version3
    Certificate 03019a023aff58b16bd6d5eae617f066
    FieldValue
    ToBeSigned (TBS) MD5a752afee44f017e8d74e3f3eb7914ae3
    ToBeSigned (TBS) SHA18eca80a6b80e9c69dcef7745748524afb8019e2d
    ToBeSigned (TBS) SHA25682560fa7efec30b5ff82af643e6f3bf3d46868bbd5e7d76f93db185e9e3553a1
    SubjectC=US, O=DigiCert, CN=DigiCert Timestamp Responder
    ValidFrom2014-10-22 00:00:00
    ValidTo2024-10-22 00:00:00
    Signature9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber03019a023aff58b16bd6d5eae617f066
    Version3
    Certificate 02c4d1e58a4a680c568da3047e7e4d5f
    FieldValue
    ToBeSigned (TBS) MD5829995f702421dea833a24fb2c7f4442
    ToBeSigned (TBS) SHA11d7e838accd498c2e5ba9373af819ec097bb955c
    ToBeSigned (TBS) SHA25692914d016cc46e125e50c4bd0bd7f72db87eed4ba68f3c589b4e86aa563108db
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1
    ValidFrom2011-02-11 12:00:00
    ValidTo2026-02-10 12:00:00
    Signature49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber02c4d1e58a4a680c568da3047e7e4d5f
    Version3
    Certificate 06fdf9039603adea000aeb3f27bbba1b
    FieldValue
    ToBeSigned (TBS) MD54e5ad189638cf52ba9cd881d4d44668c
    ToBeSigned (TBS) SHA1cdc115e98d798b33904c820d63cc1e1afc19251d
    ToBeSigned (TBS) SHA25637560fb9d548ab62cc3ed4669a4ab74828b5a108e67e829937ffb2d10a5f78dd
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1
    ValidFrom2006-11-10 00:00:00
    ValidTo2021-11-10 00:00:00
    Signature46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber06fdf9039603adea000aeb3f27bbba1b
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • IoDeleteSymbolicLink
    • RtlInitUnicodeString
    • IoDeleteDevice
    • IofCompleteRequest
    • IoCreateSymbolicLink
    • IoCreateDevice
    • RtlAssert
    • DbgPrint
    • KeBugCheckEx
    • _wcsicmp
    • ExFreePoolWithTag
    • ObOpenObjectByName
    • ZwOpenDirectoryObject
    • ObQueryNameString
    • IoDriverObjectType
    • IoGetDeviceObjectPointer
    • ExAllocatePool
    • ZwClose
    • ObReferenceObjectByHandle
    • ZwQueryDirectoryObject
    • MmIsAddressValid
    • ObfDereferenceObject
    • KeResetEvent
    • KeInitializeApc
    • KeSetEvent
    • KeInsertQueueApc
    • KeInitializeEvent
    • KeWaitForSingleObject
    • RtlCaptureStackBackTrace
    • PsGetCurrentThreadId
    • PsLookupThreadByThreadId
    • ExAllocatePoolWithTag
    • ZwDeleteKey
    • ZwEnumerateKey
    • ZwQueryKey
    • ZwOpenKey
    • ZwQuerySystemInformation
    • ZwOpenProcess
    • ZwTerminateProcess
    • IoGetAttachedDevice
    • IoGetRelatedDeviceObject
    • IoCreateFile
    • IoFileObjectType
    • IoFreeIrp
    • IoAllocateIrp
    • IofCallDriver
    • RtlGetVersion
    • PsGetVersion
    • __C_specific_handler

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "48fc93b46055948d36a7c98a89d69416",
      "Signature": "12bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root R46",
      "TBS": {
        "MD5": "207045ce7b7ab131e78e459b13825902",
        "SHA1": "bcf7530a1ab309fb1926cb720f9fd58cff1cb88f",
        "SHA256": "0f31a4237992e1ea623baf4c29480afb6d913e10f1fb1d56bb56f5b03fbff13b",
        "SHA384": "a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a4"
      },
      "ValidFrom": "2021-05-25 00:00:00",
      "ValidTo": "2028-12-31 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "33d708a891405319e2a5bbd339b9ad6e",
      "Signature": "5f36acfbf9f6725a14b7f00b1dded8fd9701d2fd01ee992d86e8f6b7f039ffd6814a5aa7424a0a2d159de694fdc5694ab2d74bf116124cf6be9066658b2d74d4ab08f76a110308777cbe69e1b0db9f248903d6de5ca4e0b2d6b4cfe338d5b96dcc27d6ce6411e8107276d3f9e0e92c89e949d3b39796060ae1f60ac8419a915d81d8367798ca804197a8f8913f639faacd54544b80eaf51766d39471fd9efd4731e3e91a861dd3be20d23fb1525fb293bd8c950998728f9501f49843a54afb1426aa9d36bf72b0fcdcbd840deced34a85e952b3816630575d9f6312e156be294b22ad27435b5989aa3fef82b2fb6174b276c5ae6b9765eda86ddab64d66aea8318881b3182f588b39425c0212f086902e34cbb4c2a1130eb817906e141952ad420f60b93e47c760c9d1d266b5f8401f62a99cdafdec7f0e418a24e9b2f2a0c66a6927526bed94035136faea6371a7ae8ad1c5163072a56066ced7e18f6e3ec6473a66d08368baf0f99ae756b172bc24d6ac351464156e98fc28dff13719bdaed9ed39fabe545a612c5145a524197a3060008c5e61cea27823c3bdbe646c4ef2d003513cd367d9de5aa270805cccec0360e4b194fd0639a6dbfc529533122db75507786d0f2f86aee6b061b3e85232b97c87e7a99410cdd587f0ea8c3123d3a359be09d2c8c17815444a87a1d989d967f5958a65465ff51420bf847ebcff8e5bf",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36",
      "TBS": {
        "MD5": "b81404c775a2621debdb7825b87b8316",
        "SHA1": "47ae94067c3c59b13605192288705db7b52f3685",
        "SHA256": "9893b35b3dcefe53d8d24b887569dfe21f9aef27bd57b61c06fcf7438b89c33a",
        "SHA384": "f55821c081b58e86eaa202923e715e1524c422c7be0469b13a9e7a319e50d70cb5b67e864273029a79250f9dc3203cbd"
      },
      "ValidFrom": "2021-03-22 00:00:00",
      "ValidTo": "2036-03-21 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "169d2c94309c0380414bcfdd93a6b27d",
      "Signature": "04f4980a1b9a8fb8a438ee112ac21f74a5c9bf55f89a5f062d396b5d22d1cd7b9dbf6b7996f55adaef68f86a07ce3ba651b9dc153405b3549e1c9617ab2c46ca7d9abd3afe0ef122d6d3ac1fff593df06e036c61a28ff898c8e75bd98d9298601052d8e0f70c663bbdf70434d136fffe0967e3eb7a4cb0b05a0f00f69b2db92ab1bf86c26b27a0de569625474be0e7b2702416d469fa1a672396143f3c4fdc2d2138ae6eb432ce2fef6f383e568c522c21bb8ffe7869443944e389dd45a86ea31e975656ad549e2234a722419feaf5c00a021a403db34c43b55567a63ab4ad4654931c9ebb8405476c1fc3f350086717b25682a299af26b422682ba1c91da04d4f4dd10104d212947d6b5dd0a5823cb4457f81f14cd634de20b7befe1d6b5720ca2a54fb093bcf48742bbd35eff947e761da2afcef3ef49c4ceef3890a49e14219a1c7c519b363b2260247b8e5a718ed7bc3ba6d35c7f67782602168f4fc4fc96cb94f8669147e071a4d06b591ba9ba50689477df97f3d6cccdcf809f8ef4ced",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "serialNumber=793 308 925 00023, ??=FR, ??=Business Entity, C=FR, ST=Loire,Atlantique, O=ADLICE (Julien Ascoet), CN=ADLICE (Julien Ascoet)",
      "TBS": {
        "MD5": "c35e4c3a6f6e5f166c542006132f8c91",
        "SHA1": "3a3f2daf6898839dd0cf73f3783501106997865a",
        "SHA256": "781c89d3ef2b94bd13394987cc7e7885e3ed34ed39690cf0afb8d650d509ca80",
        "SHA384": "8f67b3ca1c1cddb236503ef87f52d7ac52e52d1b3c75c91a49709b8ca54487cadd7464dd23568b19413643bfedd69299"
      },
      "ValidFrom": "2023-08-15 00:00:00",
      "ValidTo": "2024-08-14 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36",
      "SerialNumber": "169d2c94309c0380414bcfdd93a6b27d",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-14