e0e93453-1007-4799-ad02-9b461b7e0398

truesight.sys :inline

Description

This is a C# AV/EDR Killer using Rogue Anti-Malware Driver 3.3. This driver is not present in the loldrivers or Windows blocklist at the time of this writing. The only reason I'm making this public is because the company has already published a fix in version 3.4, and Microsoft will likely block this driver soon. This driver can be used in Windows 23H2 with HVCI enabled, loldrivers blocklist, or WDAC enabled. HVCI is designed to ensure the integrity of code executed in the kernel, but it cannot protect against all possible vulnerabilities or actions that can be performed through drivers or system interfaces.

  • UUID: e0e93453-1007-4799-ad02-9b461b7e0398
  • Created: 2023-11-10
  • Author: ph4nt0mbyt3, Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create truesight.sys binPath=C:\windows\temp\truesight.sys type=kernel && sc.exe start truesight.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/ph4nt0mbyt3/Darkside

  • Known Vulnerable Samples

    PropertyValue
    FilenameTruesight
    Creation Timestamp2023-08-29 06:07:25
    MD5f53fa44c7b591a2be105344790543369
    SHA1363068731e87bcee19ad5cb802e14f9248465d31
    SHA256bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c
    Authentihash MD57ac40b0bee0d9b6e84d58d567e82e736
    Authentihash SHA113c6de4203098a8017a0bd4c4da98f6d547482bb
    Authentihash SHA256891ad430e7f1d58ef85b437505a6016fa99a72abcfd4734476efc5fc1fcd1cba
    RichPEHeaderHash MD52aa941242ce069665648272f38f01e61
    RichPEHeaderHash SHA127a430c07c51453e908a94ae3e2640dc733030e3
    RichPEHeaderHash SHA25678b94bc1db7ed451dff0467fac7a5e568a1d35f9cabcffbdb4690c13719861bb
    CompanyAdlice Software
    DescriptionRogueKiller Antirootkit Driver
    ProductTruesight
    OriginalFilenameTruesight

    Download

    Certificates

    Expand
    Certificate 48fc93b46055948d36a7c98a89d69416
    FieldValue
    ToBeSigned (TBS) MD5207045ce7b7ab131e78e459b13825902
    ToBeSigned (TBS) SHA1bcf7530a1ab309fb1926cb720f9fd58cff1cb88f
    ToBeSigned (TBS) SHA2560f31a4237992e1ea623baf4c29480afb6d913e10f1fb1d56bb56f5b03fbff13b
    SubjectC=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root R46
    ValidFrom2021-05-25 00:00:00
    ValidTo2028-12-31 23:59:59
    Signature12bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber48fc93b46055948d36a7c98a89d69416
    Version3
    Certificate 33d708a891405319e2a5bbd339b9ad6e
    FieldValue
    ToBeSigned (TBS) MD5b81404c775a2621debdb7825b87b8316
    ToBeSigned (TBS) SHA147ae94067c3c59b13605192288705db7b52f3685
    ToBeSigned (TBS) SHA2569893b35b3dcefe53d8d24b887569dfe21f9aef27bd57b61c06fcf7438b89c33a
    SubjectC=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36
    ValidFrom2021-03-22 00:00:00
    ValidTo2036-03-21 23:59:59
    Signature5f36acfbf9f6725a14b7f00b1dded8fd9701d2fd01ee992d86e8f6b7f039ffd6814a5aa7424a0a2d159de694fdc5694ab2d74bf116124cf6be9066658b2d74d4ab08f76a110308777cbe69e1b0db9f248903d6de5ca4e0b2d6b4cfe338d5b96dcc27d6ce6411e8107276d3f9e0e92c89e949d3b39796060ae1f60ac8419a915d81d8367798ca804197a8f8913f639faacd54544b80eaf51766d39471fd9efd4731e3e91a861dd3be20d23fb1525fb293bd8c950998728f9501f49843a54afb1426aa9d36bf72b0fcdcbd840deced34a85e952b3816630575d9f6312e156be294b22ad27435b5989aa3fef82b2fb6174b276c5ae6b9765eda86ddab64d66aea8318881b3182f588b39425c0212f086902e34cbb4c2a1130eb817906e141952ad420f60b93e47c760c9d1d266b5f8401f62a99cdafdec7f0e418a24e9b2f2a0c66a6927526bed94035136faea6371a7ae8ad1c5163072a56066ced7e18f6e3ec6473a66d08368baf0f99ae756b172bc24d6ac351464156e98fc28dff13719bdaed9ed39fabe545a612c5145a524197a3060008c5e61cea27823c3bdbe646c4ef2d003513cd367d9de5aa270805cccec0360e4b194fd0639a6dbfc529533122db75507786d0f2f86aee6b061b3e85232b97c87e7a99410cdd587f0ea8c3123d3a359be09d2c8c17815444a87a1d989d967f5958a65465ff51420bf847ebcff8e5bf
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber33d708a891405319e2a5bbd339b9ad6e
    Version3
    Certificate 169d2c94309c0380414bcfdd93a6b27d
    FieldValue
    ToBeSigned (TBS) MD5c35e4c3a6f6e5f166c542006132f8c91
    ToBeSigned (TBS) SHA13a3f2daf6898839dd0cf73f3783501106997865a
    ToBeSigned (TBS) SHA256781c89d3ef2b94bd13394987cc7e7885e3ed34ed39690cf0afb8d650d509ca80
    SubjectserialNumber=793 308 925 00023, ??=FR, ??=Business Entity, C=FR, ST=Loire,Atlantique, O=ADLICE (Julien Ascoet), CN=ADLICE (Julien Ascoet)
    ValidFrom2023-08-15 00:00:00
    ValidTo2024-08-14 23:59:59
    Signature04f4980a1b9a8fb8a438ee112ac21f74a5c9bf55f89a5f062d396b5d22d1cd7b9dbf6b7996f55adaef68f86a07ce3ba651b9dc153405b3549e1c9617ab2c46ca7d9abd3afe0ef122d6d3ac1fff593df06e036c61a28ff898c8e75bd98d9298601052d8e0f70c663bbdf70434d136fffe0967e3eb7a4cb0b05a0f00f69b2db92ab1bf86c26b27a0de569625474be0e7b2702416d469fa1a672396143f3c4fdc2d2138ae6eb432ce2fef6f383e568c522c21bb8ffe7869443944e389dd45a86ea31e975656ad549e2234a722419feaf5c00a021a403db34c43b55567a63ab4ad4654931c9ebb8405476c1fc3f350086717b25682a299af26b422682ba1c91da04d4f4dd10104d212947d6b5dd0a5823cb4457f81f14cd634de20b7befe1d6b5720ca2a54fb093bcf48742bbd35eff947e761da2afcef3ef49c4ceef3890a49e14219a1c7c519b363b2260247b8e5a718ed7bc3ba6d35c7f67782602168f4fc4fc96cb94f8669147e071a4d06b591ba9ba50689477df97f3d6cccdcf809f8ef4ced
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber169d2c94309c0380414bcfdd93a6b27d
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • ExFreePoolWithTag
    • RtlInitUnicodeString
    • RtlGetVersion
    • IofCompleteRequest
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • __C_specific_handler
    • MmGetSystemRoutineAddress
    • ZwClose
    • ZwSetSecurityObject
    • IoDeviceObjectType
    • IoCreateDevice
    • ObOpenObjectByPointer
    • RtlGetDaclSecurityDescriptor
    • RtlGetGroupSecurityDescriptor
    • RtlGetOwnerSecurityDescriptor
    • RtlGetSaclSecurityDescriptor
    • SeCaptureSecurityDescriptor
    • _snwprintf
    • RtlLengthSecurityDescriptor
    • SeExports
    • RtlCreateSecurityDescriptor
    • _wcsnicmp
    • ExAllocatePoolWithTag
    • wcschr
    • RtlAbsoluteToSelfRelativeSD
    • RtlAddAccessAllowedAce
    • RtlLengthSid
    • IoIsWdmVersionAvailable
    • RtlSetDaclSecurityDescriptor
    • ZwOpenKey
    • ZwSetValueKey
    • ZwQueryValueKey
    • ZwCreateKey
    • RtlFreeUnicodeString
    • KeInitializeEvent
    • KeResetEvent
    • KeSetEvent
    • KeWaitForSingleObject
    • ObfDereferenceObject
    • PsGetCurrentThreadId
    • RtlCaptureStackBackTrace
    • PsLookupThreadByThreadId
    • KeInitializeApc
    • KeInsertQueueApc
    • _wcsicmp
    • IoGetDeviceObjectPointer
    • ObReferenceObjectByHandle
    • MmIsAddressValid
    • ObQueryNameString
    • ZwOpenDirectoryObject
    • ZwQueryDirectoryObject
    • ObOpenObjectByName
    • IoDriverObjectType
    • ZwTerminateProcess
    • ZwOpenProcess
    • ZwQuerySystemInformation
    • ZwDeleteKey
    • ZwEnumerateKey
    • ZwQueryKey
    • IoAllocateIrp
    • IofCallDriver
    • IoCreateFile
    • IoFreeIrp
    • IoGetRelatedDeviceObject
    • IoGetAttachedDevice
    • IoFileObjectType
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmMapLockedPagesSpecifyCache
    • IoAllocateMdl
    • IoFreeMdl
    • KeBugCheckEx

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "48fc93b46055948d36a7c98a89d69416",
          "Signature": "12bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
          "Subject": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root R46",
          "TBS": {
            "MD5": "207045ce7b7ab131e78e459b13825902",
            "SHA1": "bcf7530a1ab309fb1926cb720f9fd58cff1cb88f",
            "SHA256": "0f31a4237992e1ea623baf4c29480afb6d913e10f1fb1d56bb56f5b03fbff13b",
            "SHA384": "a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a4"
          },
          "ValidFrom": "2021-05-25 00:00:00",
          "ValidTo": "2028-12-31 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "33d708a891405319e2a5bbd339b9ad6e",
          "Signature": "5f36acfbf9f6725a14b7f00b1dded8fd9701d2fd01ee992d86e8f6b7f039ffd6814a5aa7424a0a2d159de694fdc5694ab2d74bf116124cf6be9066658b2d74d4ab08f76a110308777cbe69e1b0db9f248903d6de5ca4e0b2d6b4cfe338d5b96dcc27d6ce6411e8107276d3f9e0e92c89e949d3b39796060ae1f60ac8419a915d81d8367798ca804197a8f8913f639faacd54544b80eaf51766d39471fd9efd4731e3e91a861dd3be20d23fb1525fb293bd8c950998728f9501f49843a54afb1426aa9d36bf72b0fcdcbd840deced34a85e952b3816630575d9f6312e156be294b22ad27435b5989aa3fef82b2fb6174b276c5ae6b9765eda86ddab64d66aea8318881b3182f588b39425c0212f086902e34cbb4c2a1130eb817906e141952ad420f60b93e47c760c9d1d266b5f8401f62a99cdafdec7f0e418a24e9b2f2a0c66a6927526bed94035136faea6371a7ae8ad1c5163072a56066ced7e18f6e3ec6473a66d08368baf0f99ae756b172bc24d6ac351464156e98fc28dff13719bdaed9ed39fabe545a612c5145a524197a3060008c5e61cea27823c3bdbe646c4ef2d003513cd367d9de5aa270805cccec0360e4b194fd0639a6dbfc529533122db75507786d0f2f86aee6b061b3e85232b97c87e7a99410cdd587f0ea8c3123d3a359be09d2c8c17815444a87a1d989d967f5958a65465ff51420bf847ebcff8e5bf",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
          "Subject": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36",
          "TBS": {
            "MD5": "b81404c775a2621debdb7825b87b8316",
            "SHA1": "47ae94067c3c59b13605192288705db7b52f3685",
            "SHA256": "9893b35b3dcefe53d8d24b887569dfe21f9aef27bd57b61c06fcf7438b89c33a",
            "SHA384": "f55821c081b58e86eaa202923e715e1524c422c7be0469b13a9e7a319e50d70cb5b67e864273029a79250f9dc3203cbd"
          },
          "ValidFrom": "2021-03-22 00:00:00",
          "ValidTo": "2036-03-21 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "169d2c94309c0380414bcfdd93a6b27d",
          "Signature": "04f4980a1b9a8fb8a438ee112ac21f74a5c9bf55f89a5f062d396b5d22d1cd7b9dbf6b7996f55adaef68f86a07ce3ba651b9dc153405b3549e1c9617ab2c46ca7d9abd3afe0ef122d6d3ac1fff593df06e036c61a28ff898c8e75bd98d9298601052d8e0f70c663bbdf70434d136fffe0967e3eb7a4cb0b05a0f00f69b2db92ab1bf86c26b27a0de569625474be0e7b2702416d469fa1a672396143f3c4fdc2d2138ae6eb432ce2fef6f383e568c522c21bb8ffe7869443944e389dd45a86ea31e975656ad549e2234a722419feaf5c00a021a403db34c43b55567a63ab4ad4654931c9ebb8405476c1fc3f350086717b25682a299af26b422682ba1c91da04d4f4dd10104d212947d6b5dd0a5823cb4457f81f14cd634de20b7befe1d6b5720ca2a54fb093bcf48742bbd35eff947e761da2afcef3ef49c4ceef3890a49e14219a1c7c519b363b2260247b8e5a718ed7bc3ba6d35c7f67782602168f4fc4fc96cb94f8669147e071a4d06b591ba9ba50689477df97f3d6cccdcf809f8ef4ced",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
          "Subject": "serialNumber=793 308 925 00023, ??=FR, ??=Business Entity, C=FR, ST=Loire,Atlantique, O=ADLICE (Julien Ascoet), CN=ADLICE (Julien Ascoet)",
          "TBS": {
            "MD5": "c35e4c3a6f6e5f166c542006132f8c91",
            "SHA1": "3a3f2daf6898839dd0cf73f3783501106997865a",
            "SHA256": "781c89d3ef2b94bd13394987cc7e7885e3ed34ed39690cf0afb8d650d509ca80",
            "SHA384": "8f67b3ca1c1cddb236503ef87f52d7ac52e52d1b3c75c91a49709b8ca54487cadd7464dd23568b19413643bfedd69299"
          },
          "ValidFrom": "2023-08-15 00:00:00",
          "ValidTo": "2024-08-14 23:59:59",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36",
          "SerialNumber": "169d2c94309c0380414bcfdd93a6b27d",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2023-12-22