edd29861-6984-4dbe-8e7c-22e9b6cf68d0

kprocesshacker.sys :inline

Description

kprocesshacker.sys is a vulnerable driver and more information will be added as found.

  • UUID: edd29861-6984-4dbe-8e7c-22e9b6cf68d0
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create krpocesshacker.sys binPath=C:\windows\temp\krpocesshacker.sys     type=kernel && sc.exe start krpocesshacker.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
  • https://www.unknowncheats.me/forum/anti-cheat-bypass/312791-bypaph-process-hackers-bypass-read-write-process-virtual-memory-kernel-mem.html#post2315763
  • https://github.com/elastic/protections-artifacts/search?q=VulnDriver

  • Known Vulnerable Samples

    PropertyValue
    Filenamekrpocesshacker.sys
    MD5bbbc9a6cc488cfb0f6c6934b193891eb
    SHA1d8498707f295082f6a95fd9d32c9782951f5a082
    SHA256c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c
    Authentihash MD5a9ccdbae433c4377abce8f514e4fe43e
    Authentihash SHA161b55bb7c111f93bd3ea9ac71591e1a6b89feee1
    Authentihash SHA256c7b1bb39dcd7f0331989f16fcc7cd29a9ae126bee47746a4be385160da3c5a29
    RichPEHeaderHash MD522fd8ea8bcf37fb7eeed6eb279a87419
    RichPEHeaderHash SHA12a8a26a532f530afcd98cc0daa634946b0c4b04d
    RichPEHeaderHash SHA256509aa32d5245481006346163b0cc645cf9696332bb16b9c3e9ca9209aeb43d35
    Companywj32
    DescriptionKProcessHacker
    ProductKProcessHacker
    OriginalFilenamekprocesshacker.sys

    Download

    Certificates

    Expand
    Certificate 61204db4000000000027
    FieldValue
    ToBeSigned (TBS) MD58e3ffc222fbcebdbb8b23115ab259be7
    ToBeSigned (TBS) SHA1ee20bff28ffe13be731c294c90d6ded5aae0ec0e
    ToBeSigned (TBS) SHA25659826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
    ValidFrom2011-04-15 19:45:33
    ValidTo2021-04-15 19:55:33
    Signature208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber61204db4000000000027
    Version3
    Certificate 03019a023aff58b16bd6d5eae617f066
    FieldValue
    ToBeSigned (TBS) MD5a752afee44f017e8d74e3f3eb7914ae3
    ToBeSigned (TBS) SHA18eca80a6b80e9c69dcef7745748524afb8019e2d
    ToBeSigned (TBS) SHA25682560fa7efec30b5ff82af643e6f3bf3d46868bbd5e7d76f93db185e9e3553a1
    SubjectC=US, O=DigiCert, CN=DigiCert Timestamp Responder
    ValidFrom2014-10-22 00:00:00
    ValidTo2024-10-22 00:00:00
    Signature9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber03019a023aff58b16bd6d5eae617f066
    Version3
    Certificate 03e9017d54cd93f094d0a2ab7fc0e3f5
    FieldValue
    ToBeSigned (TBS) MD5edebe2eab71887f7571e5c501cf8b745
    ToBeSigned (TBS) SHA19b039c3cc8d41568351b37628c8dd682b36872e4
    ToBeSigned (TBS) SHA256d6bc8ae81688ac5660ff3b1a337a63edb4c86b6eac8af9dc77f361c820bc7a82
    SubjectC=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu
    ValidFrom2013-10-30 00:00:00
    ValidTo2015-11-04 12:00:00
    Signaturebbc031b3dd6b1c6ebec77b8dc1ecfa938149c64e0c959e5857db5c28ef549ddf0be920ccb7ec515aaeb180a28d64a1f4065d38cb997db59295f123851392903c673ed6d1db930ec1618add9989f0f1fc8d06ec5a945242cd7432d6838e33b4c3e4784e754b64dce078686ab2e6626848ff7dcd6fb7efebffdfdad1eefc1e98f9c338ff2565f05039176b24148a841614635157da5f61a17bbd6d479815714e8d3067f0320d5e8bfaa6e35731804925df9b85ba32c0d9f4ccd484d6d1b279bad0ef22b0da375826ea2e119d5c848d9a9275b93abb084c02af9f1b46c5357652f113f556fdb9d1900223341503f4e89b98bae134f7cc9d6409fcf72d2c746c714a
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber03e9017d54cd93f094d0a2ab7fc0e3f5
    Version3
    Certificate 02c4d1e58a4a680c568da3047e7e4d5f
    FieldValue
    ToBeSigned (TBS) MD5829995f702421dea833a24fb2c7f4442
    ToBeSigned (TBS) SHA11d7e838accd498c2e5ba9373af819ec097bb955c
    ToBeSigned (TBS) SHA25692914d016cc46e125e50c4bd0bd7f72db87eed4ba68f3c589b4e86aa563108db
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1
    ValidFrom2011-02-11 12:00:00
    ValidTo2026-02-10 12:00:00
    Signature49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber02c4d1e58a4a680c568da3047e7e4d5f
    Version3
    Certificate 06fdf9039603adea000aeb3f27bbba1b
    FieldValue
    ToBeSigned (TBS) MD54e5ad189638cf52ba9cd881d4d44668c
    ToBeSigned (TBS) SHA1cdc115e98d798b33904c820d63cc1e1afc19251d
    ToBeSigned (TBS) SHA25637560fb9d548ab62cc3ed4669a4ab74828b5a108e67e829937ffb2d10a5f78dd
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1
    ValidFrom2006-11-10 00:00:00
    ValidTo2021-11-10 00:00:00
    Signature46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber06fdf9039603adea000aeb3f27bbba1b
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imports

    Expand
    • ntoskrnl.exe

    ImportedFunctions

    Expand
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • RtlInitUnicodeString
    • IoDeleteDevice
    • ProbeForWrite
    • ZwQuerySystemInformation
    • ZwQueryValueKey
    • ZwClose
    • IofCompleteRequest
    • PsGetCurrentProcessId
    • IoCreateDevice
    • SePrivilegeCheck
    • ZwOpenKey
    • ProbeForRead
    • RtlGetVersion
    • RtlCompareMemory
    • MmGetSystemRoutineAddress
    • PsProcessType
    • ObOpenObjectByName
    • ZwQueryObject
    • RtlEqualUnicodeString
    • KeUnstackDetachProcess
    • ExEnumHandleTable
    • ObQueryNameString
    • IoFileObjectType
    • IoDriverObjectType
    • IoGetCurrentProcess
    • ObReferenceObjectByHandle
    • ObCloseHandle
    • PsInitialSystemProcess
    • ObSetHandleAttributes
    • ZwQueryInformationProcess
    • ObfDereferenceObject
    • ExAllocatePoolWithQuotaTag
    • ZwQueryInformationThread
    • ObOpenObjectByPointer
    • KeStackAttachProcess
    • ExAcquireRundownProtection
    • PsLookupProcessByProcessId
    • PsJobType
    • PsReferencePrimaryToken
    • SeTokenObjectType
    • ExReleaseRundownProtection
    • ZwSetInformationProcess
    • PsGetProcessJob
    • PsLookupProcessThreadByCid
    • ZwTerminateProcess
    • PsDereferencePrimaryToken
    • IoThreadToProcess
    • RtlWalkFrameChain
    • KeInitializeApc
    • KeSetEvent
    • KeInsertQueueApc
    • KeInitializeEvent
    • PsSetContextThread
    • PsGetThreadWin32Thread
    • ZwSetInformationThread
    • KeWaitForSingleObject
    • PsThreadType
    • PsAssignImpersonationToken
    • PsGetContextThread
    • PsLookupThreadByThreadId
    • MmUnmapLockedPages
    • ExRaiseStatus
    • MmHighestUserAddress
    • MmMapLockedPagesSpecifyCache
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmIsAddressValid
    • KeBugCheckEx
    • __C_specific_handler

    ExportedFunctions

    Expand

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "61204db4000000000027",
          "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA",
          "TBS": {
            "MD5": "8e3ffc222fbcebdbb8b23115ab259be7",
            "SHA1": "ee20bff28ffe13be731c294c90d6ded5aae0ec0e",
            "SHA256": "59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821",
            "SHA384": "f2dab7e56a33298654924501499487f6ba72c7d9477476a186e1ed7a9be031fade0e35ac09eff5e56bbbab95ae5374e7"
          },
          "ValidFrom": "2011-04-15 19:45:33",
          "ValidTo": "2021-04-15 19:55:33",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "03019a023aff58b16bd6d5eae617f066",
          "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder",
          "TBS": {
            "MD5": "a752afee44f017e8d74e3f3eb7914ae3",
            "SHA1": "8eca80a6b80e9c69dcef7745748524afb8019e2d",
            "SHA256": "82560fa7efec30b5ff82af643e6f3bf3d46868bbd5e7d76f93db185e9e3553a1",
            "SHA384": "e8b11408c88f877ade4ca51114a175fb5dfd2d18d2a66be547c1c9e080fa8f592c7870e30dfab1c04d234993dd0907f3"
          },
          "ValidFrom": "2014-10-22 00:00:00",
          "ValidTo": "2024-10-22 00:00:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "03e9017d54cd93f094d0a2ab7fc0e3f5",
          "Signature": "bbc031b3dd6b1c6ebec77b8dc1ecfa938149c64e0c959e5857db5c28ef549ddf0be920ccb7ec515aaeb180a28d64a1f4065d38cb997db59295f123851392903c673ed6d1db930ec1618add9989f0f1fc8d06ec5a945242cd7432d6838e33b4c3e4784e754b64dce078686ab2e6626848ff7dcd6fb7efebffdfdad1eefc1e98f9c338ff2565f05039176b24148a841614635157da5f61a17bbd6d479815714e8d3067f0320d5e8bfaa6e35731804925df9b85ba32c0d9f4ccd484d6d1b279bad0ef22b0da375826ea2e119d5c848d9a9275b93abb084c02af9f1b46c5357652f113f556fdb9d1900223341503f4e89b98bae134f7cc9d6409fcf72d2c746c714a",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu",
          "TBS": {
            "MD5": "edebe2eab71887f7571e5c501cf8b745",
            "SHA1": "9b039c3cc8d41568351b37628c8dd682b36872e4",
            "SHA256": "d6bc8ae81688ac5660ff3b1a337a63edb4c86b6eac8af9dc77f361c820bc7a82",
            "SHA384": "a7728722407d4cab35d1e851b050c4c9614f5a66b47352b270c76bfea92b8002c7859c02b5fa1ef0773eb3a73f0a37dc"
          },
          "ValidFrom": "2013-10-30 00:00:00",
          "ValidTo": "2015-11-04 12:00:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "02c4d1e58a4a680c568da3047e7e4d5f",
          "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1",
          "TBS": {
            "MD5": "829995f702421dea833a24fb2c7f4442",
            "SHA1": "1d7e838accd498c2e5ba9373af819ec097bb955c",
            "SHA256": "92914d016cc46e125e50c4bd0bd7f72db87eed4ba68f3c589b4e86aa563108db",
            "SHA384": "dbb72e38c3bc17b08aa00535ebd48502058ce6ecfd24bd4dd45c7b33e3d523510a4a649d86dfc77436c58754bd0754ea"
          },
          "ValidFrom": "2011-02-11 12:00:00",
          "ValidTo": "2026-02-10 12:00:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "06fdf9039603adea000aeb3f27bbba1b",
          "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1",
          "TBS": {
            "MD5": "4e5ad189638cf52ba9cd881d4d44668c",
            "SHA1": "cdc115e98d798b33904c820d63cc1e1afc19251d",
            "SHA256": "37560fb9d548ab62cc3ed4669a4ab74828b5a108e67e829937ffb2d10a5f78dd",
            "SHA384": "173bfb77183785621ef15f43ea807338cea6a02e8183317d9ef050c7237adda3fa2a5bdcd5a4c96da9f2c55900675b9f"
          },
          "ValidFrom": "2006-11-10 00:00:00",
          "ValidTo": "2021-11-10 00:00:00",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1",
          "SerialNumber": "03e9017d54cd93f094d0a2ab7fc0e3f5",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    PropertyValue
    Filenamekprocesshacker.sys
    MD51b5c3c458e31bede55145d0644e88d75
    SHA1a21c84c6bf2e21d69fa06daaf19b4cc34b589347
    SHA25670211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4
    Authentihash MD5dd81d5b2343e1976d1708e7eb0649f8f
    Authentihash SHA1c2b8c1b34f09a91efe196f646ef7f9a11190fb8e
    Authentihash SHA2564ee2a56c1592ff0e951b452c0de064eba05b7c98e3add04c8aa3b4a84eb797a5
    RichPEHeaderHash MD595cae32d57756079c2a857fba0a9d5a1
    RichPEHeaderHash SHA1ed3d6169ffa0e3b9b7cd864f3778a041c591f3c7
    RichPEHeaderHash SHA256a583b777b45f3612b94a90db572e26d37c05c2616131926002e495753f05ea72
    Companywj32
    DescriptionKProcessHacker
    ProductKProcessHacker
    OriginalFilenamekprocesshacker.sys

    Download

    Certificates

    Expand
    Certificate 0ff1ef66bd621c65b74b4de41425717f
    FieldValue
    ToBeSigned (TBS) MD5757eb14413aba2d993b15943483df3b8
    ToBeSigned (TBS) SHA169f7d9ce7728f0a25643d4da3774704c699718b5
    ToBeSigned (TBS) SHA256f57d1b370f6a90ced8f5776d31549223448aad3486f777b0ccfa812ea3ed55fe
    SubjectC=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu
    ValidFrom2013-10-30 00:00:00
    ValidTo2017-01-04 12:00:00
    Signature88f1598a6a8a6c4904646770021476573d57c2f9cb88786e823a6312f7c90b578b1316b069d7670f8c5a59386aa72defedeb4187b9e58199c3c2c805b056622022c294ac38e14d5e66a7a77a4524b893fac245341155abf301ae41c91918705d4c9c291e671cea6b9c77dbede85379866ea935ddda4f28e2954a30251d1e0696bd21c948de0d4201487fb7b35faa308b78cfc81a7d51979a5c0d1fe41fc55cddffd0039e6cf49b497cbe7dc15d492da007906accf14a601e1814334045b45198650b317d09653182dd78daccef4964c457cf6d15a7b79fbf0b732ae0ac45cfba627afb622dfe9dc18064c21411f0464ede145be82db7c5124488044547eb2022
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0ff1ef66bd621c65b74b4de41425717f
    Version3
    Certificate 61204db4000000000027
    FieldValue
    ToBeSigned (TBS) MD58e3ffc222fbcebdbb8b23115ab259be7
    ToBeSigned (TBS) SHA1ee20bff28ffe13be731c294c90d6ded5aae0ec0e
    ToBeSigned (TBS) SHA25659826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
    ValidFrom2011-04-15 19:45:33
    ValidTo2021-04-15 19:55:33
    Signature208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber61204db4000000000027
    Version3
    Certificate 03019a023aff58b16bd6d5eae617f066
    FieldValue
    ToBeSigned (TBS) MD5a752afee44f017e8d74e3f3eb7914ae3
    ToBeSigned (TBS) SHA18eca80a6b80e9c69dcef7745748524afb8019e2d
    ToBeSigned (TBS) SHA25682560fa7efec30b5ff82af643e6f3bf3d46868bbd5e7d76f93db185e9e3553a1
    SubjectC=US, O=DigiCert, CN=DigiCert Timestamp Responder
    ValidFrom2014-10-22 00:00:00
    ValidTo2024-10-22 00:00:00
    Signature9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber03019a023aff58b16bd6d5eae617f066
    Version3
    Certificate 02c4d1e58a4a680c568da3047e7e4d5f
    FieldValue
    ToBeSigned (TBS) MD5829995f702421dea833a24fb2c7f4442
    ToBeSigned (TBS) SHA11d7e838accd498c2e5ba9373af819ec097bb955c
    ToBeSigned (TBS) SHA25692914d016cc46e125e50c4bd0bd7f72db87eed4ba68f3c589b4e86aa563108db
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1
    ValidFrom2011-02-11 12:00:00
    ValidTo2026-02-10 12:00:00
    Signature49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber02c4d1e58a4a680c568da3047e7e4d5f
    Version3
    Certificate 06fdf9039603adea000aeb3f27bbba1b
    FieldValue
    ToBeSigned (TBS) MD54e5ad189638cf52ba9cd881d4d44668c
    ToBeSigned (TBS) SHA1cdc115e98d798b33904c820d63cc1e1afc19251d
    ToBeSigned (TBS) SHA25637560fb9d548ab62cc3ed4669a4ab74828b5a108e67e829937ffb2d10a5f78dd
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1
    ValidFrom2006-11-10 00:00:00
    ValidTo2021-11-10 00:00:00
    Signature46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber06fdf9039603adea000aeb3f27bbba1b
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • ksecdd.sys

    Imports

    Expand
    • ntoskrnl.exe
    • ksecdd.sys

    ImportedFunctions

    Expand
    • SePrivilegeCheck
    • ZwOpenKey
    • ProbeForRead
    • RtlGetVersion
    • PsProcessType
    • ObOpenObjectByName
    • ObGetObjectType
    • PsReleaseProcessExitSynchronization
    • ZwQueryObject
    • RtlEqualUnicodeString
    • KeUnstackDetachProcess
    • ExEnumHandleTable
    • ObQueryNameString
    • IoFileObjectType
    • IoDriverObjectType
    • ExfUnblockPushLock
    • ObReferenceObjectByHandle
    • PsAcquireProcessExitSynchronization
    • PsInitialSystemProcess
    • ObSetHandleAttributes
    • ZwQueryInformationProcess
    • ObfDereferenceObject
    • ExAllocatePoolWithQuotaTag
    • ZwQueryInformationThread
    • ObOpenObjectByPointer
    • KeStackAttachProcess
    • PsLookupProcessByProcessId
    • PsJobType
    • PsReferencePrimaryToken
    • SeTokenObjectType
    • IoCreateDevice
    • PsGetProcessJob
    • PsLookupProcessThreadByCid
    • ZwTerminateProcess
    • PsDereferencePrimaryToken
    • IoThreadToProcess
    • RtlWalkFrameChain
    • KeInitializeApc
    • KeSetEvent
    • KeInsertQueueApc
    • KeWaitForSingleObject
    • PsThreadType
    • PsLookupThreadByThreadId
    • ZwQuerySystemInformation
    • ZwQueryVirtualMemory
    • ExReleaseFastMutex
    • ExAcquireFastMutex
    • ZwReadFile
    • MmHighestUserAddress
    • SeLocateProcessImageName
    • KeDelayExecutionThread
    • ZwCreateFile
    • RtlRandomEx
    • ZwQueryInformationFile
    • MmUnmapLockedPages
    • ExRaiseStatus
    • MmMapLockedPagesSpecifyCache
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmIsAddressValid
    • KeBugCheckEx
    • PsGetCurrentProcessId
    • IofCompleteRequest
    • ZwClose
    • ZwQueryValueKey
    • KeInitializeEvent
    • ProbeForWrite
    • IoDeleteDevice
    • RtlInitUnicodeString
    • ExFreePoolWithTag
    • IoGetCurrentProcess
    • ExAllocatePoolWithTag
    • __C_specific_handler
    • BCryptCreateHash
    • BCryptDestroyKey
    • BCryptImportKeyPair
    • BCryptCloseAlgorithmProvider
    • BCryptVerifySignature
    • BCryptFinishHash
    • BCryptHashData
    • BCryptDestroyHash
    • BCryptOpenAlgorithmProvider
    • BCryptGetProperty

    ExportedFunctions

    Expand

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "61204db4000000000027",
          "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA",
          "TBS": {
            "MD5": "8e3ffc222fbcebdbb8b23115ab259be7",
            "SHA1": "ee20bff28ffe13be731c294c90d6ded5aae0ec0e",
            "SHA256": "59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821",
            "SHA384": "f2dab7e56a33298654924501499487f6ba72c7d9477476a186e1ed7a9be031fade0e35ac09eff5e56bbbab95ae5374e7"
          },
          "ValidFrom": "2011-04-15 19:45:33",
          "ValidTo": "2021-04-15 19:55:33",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "03019a023aff58b16bd6d5eae617f066",
          "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder",
          "TBS": {
            "MD5": "a752afee44f017e8d74e3f3eb7914ae3",
            "SHA1": "8eca80a6b80e9c69dcef7745748524afb8019e2d",
            "SHA256": "82560fa7efec30b5ff82af643e6f3bf3d46868bbd5e7d76f93db185e9e3553a1",
            "SHA384": "e8b11408c88f877ade4ca51114a175fb5dfd2d18d2a66be547c1c9e080fa8f592c7870e30dfab1c04d234993dd0907f3"
          },
          "ValidFrom": "2014-10-22 00:00:00",
          "ValidTo": "2024-10-22 00:00:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "03e9017d54cd93f094d0a2ab7fc0e3f5",
          "Signature": "bbc031b3dd6b1c6ebec77b8dc1ecfa938149c64e0c959e5857db5c28ef549ddf0be920ccb7ec515aaeb180a28d64a1f4065d38cb997db59295f123851392903c673ed6d1db930ec1618add9989f0f1fc8d06ec5a945242cd7432d6838e33b4c3e4784e754b64dce078686ab2e6626848ff7dcd6fb7efebffdfdad1eefc1e98f9c338ff2565f05039176b24148a841614635157da5f61a17bbd6d479815714e8d3067f0320d5e8bfaa6e35731804925df9b85ba32c0d9f4ccd484d6d1b279bad0ef22b0da375826ea2e119d5c848d9a9275b93abb084c02af9f1b46c5357652f113f556fdb9d1900223341503f4e89b98bae134f7cc9d6409fcf72d2c746c714a",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu",
          "TBS": {
            "MD5": "edebe2eab71887f7571e5c501cf8b745",
            "SHA1": "9b039c3cc8d41568351b37628c8dd682b36872e4",
            "SHA256": "d6bc8ae81688ac5660ff3b1a337a63edb4c86b6eac8af9dc77f361c820bc7a82",
            "SHA384": "a7728722407d4cab35d1e851b050c4c9614f5a66b47352b270c76bfea92b8002c7859c02b5fa1ef0773eb3a73f0a37dc"
          },
          "ValidFrom": "2013-10-30 00:00:00",
          "ValidTo": "2015-11-04 12:00:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "02c4d1e58a4a680c568da3047e7e4d5f",
          "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1",
          "TBS": {
            "MD5": "829995f702421dea833a24fb2c7f4442",
            "SHA1": "1d7e838accd498c2e5ba9373af819ec097bb955c",
            "SHA256": "92914d016cc46e125e50c4bd0bd7f72db87eed4ba68f3c589b4e86aa563108db",
            "SHA384": "dbb72e38c3bc17b08aa00535ebd48502058ce6ecfd24bd4dd45c7b33e3d523510a4a649d86dfc77436c58754bd0754ea"
          },
          "ValidFrom": "2011-02-11 12:00:00",
          "ValidTo": "2026-02-10 12:00:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "06fdf9039603adea000aeb3f27bbba1b",
          "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1",
          "TBS": {
            "MD5": "4e5ad189638cf52ba9cd881d4d44668c",
            "SHA1": "cdc115e98d798b33904c820d63cc1e1afc19251d",
            "SHA256": "37560fb9d548ab62cc3ed4669a4ab74828b5a108e67e829937ffb2d10a5f78dd",
            "SHA384": "173bfb77183785621ef15f43ea807338cea6a02e8183317d9ef050c7237adda3fa2a5bdcd5a4c96da9f2c55900675b9f"
          },
          "ValidFrom": "2006-11-10 00:00:00",
          "ValidTo": "2021-11-10 00:00:00",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1",
          "SerialNumber": "03e9017d54cd93f094d0a2ab7fc0e3f5",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2023-12-02