Description
netfilterdrv.sys is a vulnerable driver and more information will be added as found.
- UUID: f1dcb0e4-aa53-4e62-ab09-fb7b4a356916
- Created: 2023-01-09
- Author: Michael Haag
Block netfilterdrv.sys across your endpoints
Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.
Start Blocking for FreeCommands
sc.exe create netfilterdrv.sys binPath=C:\windows\temp \n \n \n etfilterdrv.sys type=kernel type=kernel && sc.exe start netfilterdrv.sys
| Use Case | Privileges | Operating System |
|---|
| Elevate privileges | kernel | Windows 10 |
Detections
Sigma 🛡️
Expand
Names
detects loading using name only
Hashes
detects loading using hashes only
Resources
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rulesKnown Vulnerable Samples
Imports
Expand
Imported Functions
Expand
Exported Functions
Expand
Sections
Expand
Signature
Expand
Imports
Expand
Imported Functions
Expand
Exported Functions
Expand
Sections
Expand
Signature
Expand
Download
Certificates
Expand
Certificate 33000000b5213fca1e4aa03de40000000000b5
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | a0dd89c33c4973bf6758331e200fb6de |
| ToBeSigned (TBS) SHA1 | 65ff7fa429c0f08f8a8bf30509e8ca2919d9edb5 |
| ToBeSigned (TBS) SHA256 | 29a7b646af062aee3bf37d1ba190211365116db7d7aa4cb87ba268843262ae47 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher |
| ValidFrom | 2020-12-15 22:15:33 |
| ValidTo | 2021-12-02 22:15:33 |
| Signature | 0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 33000000b5213fca1e4aa03de40000000000b5 |
| Version | 3 |
Certificate 610baac1000000000009
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | a569061297e8e824767dbc3184a69bea |
| ToBeSigned (TBS) SHA1 | adbb26a587a8f44b4fccaecb306f980d1c55a150 |
| ToBeSigned (TBS) SHA256 | cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012 |
| ValidFrom | 2012-04-18 23:48:38 |
| ValidTo | 2027-04-18 23:58:38 |
| Signature | 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 610baac1000000000009 |
| Version | 3 |
Imports
Expand
Imported Functions
Expand
- ZwClose
- KeSetBasePriorityThread
- KeInitializeEvent
- PsTerminateSystemThread
- KeSetEvent
- KeInitializeTimerEx
- KeSetTimerEx
- KeWaitForSingleObject
- ExAllocatePoolWithTag
- ExFreePoolWithTag
- PsCreateSystemThread
- MmIsAddressValid
- KeLeaveCriticalRegion
- RtlCopyUnicodeString
- KeEnterCriticalRegion
- IoDeleteSymbolicLink
- RtlInitUnicodeString
- WdfVersionBind
- WdfVersionUnbind
- WdfVersionUnbindClass
- WdfVersionBindClass
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
- .reloc
Signature
Expand
Download
Imports
Expand
- fwpkclnt.sys
- ntoskrnl.exe
- NETIO.SYS
- HAL.dll
- WDFLDR.SYS
Imported Functions
Expand
- FwpsAcquireClassifyHandle0
- FwpsReleaseClassifyHandle0
- FwpmFilterDeleteById0
- FwpsAcquireWritableLayerDataPointer0
- FwpsApplyModifiedLayerData0
- FwpmFilterAdd0
- FwpmCalloutAdd0
- FwpmSubLayerDeleteByKey0
- FwpmSubLayerAdd0
- FwpmTransactionAbort0
- FwpmTransactionCommit0
- FwpmTransactionBegin0
- FwpmEngineClose0
- FwpmEngineOpen0
- FwpsCalloutUnregisterById0
- FwpsCompleteClassify0
- FwpsCalloutRegister1
- memcpy
- KeGetCurrentThread
- KeInitializeEvent
- KeWaitForSingleObject
- IoAllocateIrp
- IofCallDriver
- IoCreateFile
- IoFreeIrp
- IoGetRelatedDeviceObject
- ObReferenceObjectByHandle
- ObfDereferenceObject
- ZwQueryInformationFile
- ZwSetInformationFile
- ZwReadFile
- ZwWriteFile
- ZwClose
- IoFileObjectType
- strchr
- strncat
- strncpy_s
- KeResetEvent
- MmProbeAndLockPages
- MmUnlockPages
- IoAllocateMdl
- IoFreeMdl
- IoReuseIrp
- memset
- sprintf
- KeEnterCriticalRegion
- KeLeaveCriticalRegion
- PsTerminateSystemThread
- KeSetBasePriorityThread
- CmUnRegisterCallback
- CmRegisterCallbackEx
- CmCallbackGetKeyObjectID
- strncmp
- strncpy
- wcsncmp
- ExAcquireSpinLockExclusive
- ExReleaseSpinLockExclusive
- RtlCreateSecurityDescriptor
- RtlSetDaclSecurityDescriptor
- KeInitializeTimerEx
- KeSetTimerEx
- PsCreateSystemThread
- ZwCreateKey
- ZwOpenKey
- ZwFlushKey
- ZwQueryValueKey
- ZwSetValueKey
- NtQueryInformationToken
- RtlLengthSid
- RtlConvertSidToUnicodeString
- RtlCreateAcl
- RtlAddAccessAllowedAce
- RtlSetOwnerSecurityDescriptor
- PsLookupProcessByProcessId
- ObOpenObjectByPointer
- ZwOpenProcessTokenEx
- ZwSetSecurityObject
- PsGetProcessImageFileName
- _allmul
- PsProcessType
- SeExports
- IoDeleteSymbolicLink
- RtlUnwind
- MmIsAddressValid
- ExFreePoolWithTag
- ExAllocatePoolWithTag
- KeSetEvent
- RtlFreeUnicodeString
- KeBugCheckEx
- RtlAnsiStringToUnicodeString
- RtlCopyUnicodeString
- RtlInitUnicodeString
- RtlInitAnsiString
- strstr
- WskDeregister
- WskReleaseProviderNPI
- WskCaptureProviderNPI
- WskRegister
- KeGetCurrentIrql
- WdfVersionBind
- WdfVersionBindClass
- WdfVersionUnbindClass
- WdfVersionUnbind
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- INIT
- .reloc
Signature
Expand
Download
Certificates
Expand
Certificate 33000000b5213fca1e4aa03de40000000000b5
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | a0dd89c33c4973bf6758331e200fb6de |
| ToBeSigned (TBS) SHA1 | 65ff7fa429c0f08f8a8bf30509e8ca2919d9edb5 |
| ToBeSigned (TBS) SHA256 | 29a7b646af062aee3bf37d1ba190211365116db7d7aa4cb87ba268843262ae47 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher |
| ValidFrom | 2020-12-15 22:15:33 |
| ValidTo | 2021-12-02 22:15:33 |
| Signature | 0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 33000000b5213fca1e4aa03de40000000000b5 |
| Version | 3 |
Certificate 610baac1000000000009
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | a569061297e8e824767dbc3184a69bea |
| ToBeSigned (TBS) SHA1 | adbb26a587a8f44b4fccaecb306f980d1c55a150 |
| ToBeSigned (TBS) SHA256 | cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012 |
| ValidFrom | 2012-04-18 23:48:38 |
| ValidTo | 2027-04-18 23:58:38 |
| Signature | 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 610baac1000000000009 |
| Version | 3 |
Imports
Expand
- fwpkclnt.sys
- ntoskrnl.exe
- NETIO.SYS
- HAL.dll
- WDFLDR.SYS
Imported Functions
Expand
- FwpsAcquireClassifyHandle0
- FwpsReleaseClassifyHandle0
- FwpmFilterDeleteById0
- FwpsAcquireWritableLayerDataPointer0
- FwpsApplyModifiedLayerData0
- FwpmFilterAdd0
- FwpmCalloutAdd0
- FwpmSubLayerDeleteByKey0
- FwpmSubLayerAdd0
- FwpmTransactionAbort0
- FwpmTransactionCommit0
- FwpmTransactionBegin0
- FwpmEngineClose0
- FwpmEngineOpen0
- FwpsCalloutUnregisterById0
- FwpsCompleteClassify0
- FwpsCalloutRegister1
- KeGetCurrentThread
- KeInitializeEvent
- KeWaitForSingleObject
- IoAllocateIrp
- IofCallDriver
- IoCreateFile
- IoFreeIrp
- IoGetRelatedDeviceObject
- ObReferenceObjectByHandle
- ObfDereferenceObject
- ZwQueryInformationFile
- ZwSetInformationFile
- ZwReadFile
- ZwWriteFile
- ZwClose
- IoFileObjectType
- strchr
- strncat
- strncpy_s
- strstr
- KeResetEvent
- MmProbeAndLockPages
- MmUnlockPages
- IoAllocateMdl
- IoFreeMdl
- IoReuseIrp
- IoDeleteSymbolicLink
- sprintf
- KeEnterCriticalRegion
- KeLeaveCriticalRegion
- PsTerminateSystemThread
- KeSetBasePriorityThread
- CmUnRegisterCallback
- CmRegisterCallbackEx
- CmCallbackGetKeyObjectID
- strncmp
- strncpy
- wcsncmp
- ExAcquireSpinLockExclusive
- ExReleaseSpinLockExclusive
- RtlCreateSecurityDescriptor
- RtlSetDaclSecurityDescriptor
- KeInitializeTimerEx
- KeSetTimerEx
- PsCreateSystemThread
- ZwCreateKey
- ZwOpenKey
- ZwFlushKey
- ZwQueryValueKey
- ZwSetValueKey
- NtQueryInformationToken
- RtlLengthSid
- RtlConvertSidToUnicodeString
- RtlCreateAcl
- RtlAddAccessAllowedAce
- RtlSetOwnerSecurityDescriptor
- PsLookupProcessByProcessId
- ObOpenObjectByPointer
- ZwOpenProcessTokenEx
- ZwSetSecurityObject
- PsGetProcessImageFileName
- _allmul
- PsProcessType
- SeExports
- memcpy
- RtlUnwind
- memset
- MmIsAddressValid
- ExFreePoolWithTag
- ExAllocatePoolWithTag
- KeSetEvent
- KeBugCheckEx
- RtlFreeUnicodeString
- RtlCopyUnicodeString
- RtlAnsiStringToUnicodeString
- RtlInitUnicodeString
- RtlInitAnsiString
- WskDeregister
- WskReleaseProviderNPI
- WskCaptureProviderNPI
- WskRegister
- KeGetCurrentIrql
- WdfVersionBind
- WdfVersionBindClass
- WdfVersionUnbindClass
- WdfVersionUnbind
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- INIT
- .reloc
Signature
Expand
Download
Certificates
Expand
Certificate 33000000b5213fca1e4aa03de40000000000b5
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | a0dd89c33c4973bf6758331e200fb6de |
| ToBeSigned (TBS) SHA1 | 65ff7fa429c0f08f8a8bf30509e8ca2919d9edb5 |
| ToBeSigned (TBS) SHA256 | 29a7b646af062aee3bf37d1ba190211365116db7d7aa4cb87ba268843262ae47 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher |
| ValidFrom | 2020-12-15 22:15:33 |
| ValidTo | 2021-12-02 22:15:33 |
| Signature | 0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 33000000b5213fca1e4aa03de40000000000b5 |
| Version | 3 |
Certificate 610baac1000000000009
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | a569061297e8e824767dbc3184a69bea |
| ToBeSigned (TBS) SHA1 | adbb26a587a8f44b4fccaecb306f980d1c55a150 |
| ToBeSigned (TBS) SHA256 | cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012 |
| ValidFrom | 2012-04-18 23:48:38 |
| ValidTo | 2027-04-18 23:58:38 |
| Signature | 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 610baac1000000000009 |
| Version | 3 |
Imports
Expand
Imported Functions
Expand
- KeSetBasePriorityThread
- KeInitializeEvent
- KeSetEvent
- KeInitializeTimerEx
- PsTerminateSystemThread
- KeWaitForSingleObject
- ExAllocatePoolWithTag
- ExFreePoolWithTag
- PsCreateSystemThread
- MmIsAddressValid
- KeLeaveCriticalRegion
- RtlCopyUnicodeString
- KeEnterCriticalRegion
- IoDeleteSymbolicLink
- KeSetTimerEx
- RtlInitUnicodeString
- WdfVersionBind
- WdfVersionUnbind
- WdfVersionUnbindClass
- WdfVersionBindClass
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
- .reloc
Signature
Expand
Download
Certificates
Expand
Certificate 33000000b5213fca1e4aa03de40000000000b5
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | a0dd89c33c4973bf6758331e200fb6de |
| ToBeSigned (TBS) SHA1 | 65ff7fa429c0f08f8a8bf30509e8ca2919d9edb5 |
| ToBeSigned (TBS) SHA256 | 29a7b646af062aee3bf37d1ba190211365116db7d7aa4cb87ba268843262ae47 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher |
| ValidFrom | 2020-12-15 22:15:33 |
| ValidTo | 2021-12-02 22:15:33 |
| Signature | 0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 33000000b5213fca1e4aa03de40000000000b5 |
| Version | 3 |
Certificate 610baac1000000000009
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | a569061297e8e824767dbc3184a69bea |
| ToBeSigned (TBS) SHA1 | adbb26a587a8f44b4fccaecb306f980d1c55a150 |
| ToBeSigned (TBS) SHA256 | cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012 |
| ValidFrom | 2012-04-18 23:48:38 |
| ValidTo | 2027-04-18 23:58:38 |
| Signature | 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 610baac1000000000009 |
| Version | 3 |
Imports
Expand
- fwpkclnt.sys
- ntoskrnl.exe
- NETIO.SYS
- WDFLDR.SYS
Imported Functions
Expand
- FwpmFilterAdd0
- FwpmFilterDeleteById0
- FwpsAcquireClassifyHandle0
- FwpmCalloutAdd0
- FwpsCompleteClassify0
- FwpsAcquireWritableLayerDataPointer0
- FwpsApplyModifiedLayerData0
- FwpmSubLayerDeleteByKey0
- FwpmSubLayerAdd0
- FwpmTransactionAbort0
- FwpmTransactionCommit0
- FwpmTransactionBegin0
- FwpmEngineClose0
- FwpmEngineOpen0
- FwpsCalloutUnregisterById0
- FwpsReleaseClassifyHandle0
- FwpsCalloutRegister1
- KeInitializeEvent
- KeWaitForSingleObject
- IoAllocateIrp
- IofCallDriver
- IoCreateFile
- IoFreeIrp
- IoGetRelatedDeviceObject
- ObReferenceObjectByHandle
- ObfDereferenceObject
- ZwQueryInformationFile
- ZwSetInformationFile
- ZwReadFile
- ZwWriteFile
- ZwClose
- IoFileObjectType
- strchr
- strncat
- strncpy_s
- strstr
- KeResetEvent
- MmProbeAndLockPages
- MmUnlockPages
- IoAllocateMdl
- IoFreeMdl
- IoReuseIrp
- __C_specific_handler
- MmIsAddressValid
- sprintf
- KeEnterCriticalRegion
- KeLeaveCriticalRegion
- PsTerminateSystemThread
- KeSetBasePriorityThread
- CmUnRegisterCallback
- CmRegisterCallbackEx
- CmCallbackGetKeyObjectID
- strncmp
- strncpy
- wcsncmp
- ExAcquireSpinLockExclusive
- ExReleaseSpinLockExclusive
- RtlCreateSecurityDescriptor
- RtlSetDaclSecurityDescriptor
- KeInitializeTimerEx
- KeSetTimerEx
- PsCreateSystemThread
- ZwCreateKey
- ZwOpenKey
- ZwFlushKey
- ZwQueryValueKey
- ZwSetValueKey
- NtQueryInformationToken
- RtlLengthSid
- RtlConvertSidToUnicodeString
- RtlCreateAcl
- RtlAddAccessAllowedAce
- RtlSetOwnerSecurityDescriptor
- PsLookupProcessByProcessId
- ObOpenObjectByPointer
- ZwOpenProcessTokenEx
- ZwSetSecurityObject
- PsGetProcessImageFileName
- PsProcessType
- SeExports
- IoDeleteSymbolicLink
- ExFreePoolWithTag
- ExAllocatePoolWithTag
- KeSetEvent
- RtlFreeUnicodeString
- KeBugCheckEx
- RtlCopyUnicodeString
- RtlAnsiStringToUnicodeString
- RtlInitUnicodeString
- RtlInitAnsiString
- WskCaptureProviderNPI
- WskReleaseProviderNPI
- WskDeregister
- WskRegister
- WdfVersionBind
- WdfVersionBindClass
- WdfVersionUnbindClass
- WdfVersionUnbind
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
- .reloc
Signature
Expand
source
last_updated: 2026-04-06
