f4990bdd-8821-4a3c-a11a-4651e645810c

IOMap64.sys :inline :inline

Description

IOMap64.sys is a vulnerable driver and more information will be added as found.

  • UUID: f4990bdd-8821-4a3c-a11a-4651e645810c
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create IOMap64.sys binPath=C:\windows\temp\IOMap64.sys type=kernel && sc.exe start IOMap64.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/elastic/protections-artifacts/search?q=VulnDriver
  • https://github.com/elastic/protections-artifacts/search?q=VulnDriver

    • Known Vulnerable Samples

    PropertyValue
    FilenameIOMap64.sys
    Creation Timestamp2010-02-04 18:55:34
    MD5a01c412699b6f21645b2885c2bae4454
    SHA12fc6845047abcf2a918fce89ab99e4955d08e72c
    SHA256ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41
    Authentihash MD53d840e2458fef30b0871bf1c13b060ff
    Authentihash SHA163b773c3c8308ddfa783b318d0ea67724fa1dc2f
    Authentihash SHA25634b3acdeac5002880071f73b70aa3abd3a6facb9e281b5c93cc82a7a8a6d5cc1
    RichPEHeaderHash MD5fbccc3a104df27d5cfc3732e79242335
    RichPEHeaderHash SHA1f43a074e5d0724463bece3b665b3602a0642ceb1
    RichPEHeaderHash SHA2569da8629da77396f72801318b4779adec059769739c20388b7552c8dd6f54999d
    CompanyASUSTeK Computer Inc.
    DescriptionASUS Kernel Mode Driver for NT
    ProductASUS Kernel Mode Driver for NT
    OriginalFilenameIOMap.sys

    Download

    Certificates

    Expand
    Certificate 3825d7faf861af9ef490e726b5d65ad5
    FieldValue
    ToBeSigned (TBS) MD5d6c7684e9aaa508cf268335f83afe040
    ToBeSigned (TBS) SHA118066d20ad92409c567cdfde745279ff71c75226
    ToBeSigned (TBS) SHA256a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff
    SubjectC=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2
    ValidFrom2007-06-15 00:00:00
    ValidTo2012-06-14 23:59:59
    Signature50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber3825d7faf861af9ef490e726b5d65ad5
    Version3
    Certificate 47bf1995df8d524643f7db6d480d31a4
    FieldValue
    ToBeSigned (TBS) MD5518d2ea8a21e879c942d504824ac211c
    ToBeSigned (TBS) SHA121ce87d827077e61abddf2beba69fde5432ea031
    ToBeSigned (TBS) SHA2561ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7
    SubjectC=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA
    ValidFrom2003-12-04 00:00:00
    ValidTo2013-12-03 23:59:59
    Signature4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47bf1995df8d524643f7db6d480d31a4
    Version3
    Certificate 655226e1b22e18e1590f2985ac22e75c
    FieldValue
    ToBeSigned (TBS) MD5650704c342850095f3288eaf791147d4
    ToBeSigned (TBS) SHA14cdc38c800761463749c3cbd94a12f32e49877bf
    ToBeSigned (TBS) SHA25607b8f662558ec85b71b43a79c6e94698144f4ced2308af21e7ba1e5d461da214
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA
    ValidFrom2009-05-21 00:00:00
    ValidTo2019-05-20 23:59:59
    Signature8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber655226e1b22e18e1590f2985ac22e75c
    Version3
    Certificate 610c120600000000001b
    FieldValue
    ToBeSigned (TBS) MD553c41bc1164e09e0cd1617a5bf913efd
    ToBeSigned (TBS) SHA193c03aac8951d494ecd5696b1c08658541b18727
    ToBeSigned (TBS) SHA25640bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b
    SubjectC=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
    ValidFrom2006-05-23 17:01:29
    ValidTo2016-05-23 17:11:29
    Signature01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610c120600000000001b
    Version3
    Certificate 12d5c9e2949d48abaccd3514f0fb22ad
    FieldValue
    ToBeSigned (TBS) MD5a8e2727ca2cb8705c02aaef015feb372
    ToBeSigned (TBS) SHA194a0711ecebe96729e048ae1c7de9c4ba5c25ec4
    ToBeSigned (TBS) SHA256dd670882ef38bfeecfb2865ad06f52e36b07f99fbf5937b2ede58178d2221961
    SubjectC=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.
    ValidFrom2009-08-03 00:00:00
    ValidTo2012-08-03 23:59:59
    Signaturebdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber12d5c9e2949d48abaccd3514f0fb22ad
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • KeInitializeMutex
    • RtlInitUnicodeString
    • IoDeleteDevice
    • MmUnmapIoSpace
    • MmMapIoSpace
    • PoStartNextPowerIrp
    • IofCompleteRequest
    • ExFreePoolWithTag
    • IoCreateSymbolicLink
    • IoCreateDevice
    • IofCallDriver
    • KeReleaseMutex
    • KeWaitForSingleObject
    • KeBugCheckEx
    • IoDeleteSymbolicLink
    • PoCallDriver
    • ExAllocatePoolWithTag
    • HalTranslateBusAddress
    • KeStallExecutionProcessor

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "3825d7faf861af9ef490e726b5d65ad5",
      "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2",
      "TBS": {
        "MD5": "d6c7684e9aaa508cf268335f83afe040",
        "SHA1": "18066d20ad92409c567cdfde745279ff71c75226",
        "SHA256": "a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff",
        "SHA384": "35c249d6ad0261a6229b2a727067ac6ba32a5d24b30b9249051f748c7735fbe2ec2ef26a702c50df1790fbe32a65aee7"
      },
      "ValidFrom": "2007-06-15 00:00:00",
      "ValidTo": "2012-06-14 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "47bf1995df8d524643f7db6d480d31a4",
      "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA",
      "TBS": {
        "MD5": "518d2ea8a21e879c942d504824ac211c",
        "SHA1": "21ce87d827077e61abddf2beba69fde5432ea031",
        "SHA256": "1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7",
        "SHA384": "53e346bbde23779a5d116cc9d86fdd71c97b1f1b343439f8a11aa1d3c87af63864bb8488a5aeb2d0c26a6a1e0b15f03f"
      },
      "ValidFrom": "2003-12-04 00:00:00",
      "ValidTo": "2013-12-03 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "655226e1b22e18e1590f2985ac22e75c",
      "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA",
      "TBS": {
        "MD5": "650704c342850095f3288eaf791147d4",
        "SHA1": "4cdc38c800761463749c3cbd94a12f32e49877bf",
        "SHA256": "07b8f662558ec85b71b43a79c6e94698144f4ced2308af21e7ba1e5d461da214",
        "SHA384": "2a271d052213438467d09d60eaa4010c8642fff3eb0070e0cf9969428713c8fdc066b90996d594dd3136f5bd0af5a22a"
      },
      "ValidFrom": "2009-05-21 00:00:00",
      "ValidTo": "2019-05-20 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "610c120600000000001b",
      "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority",
      "TBS": {
        "MD5": "53c41bc1164e09e0cd1617a5bf913efd",
        "SHA1": "93c03aac8951d494ecd5696b1c08658541b18727",
        "SHA256": "40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b",
        "SHA384": "f51d4e75ba638f7314cd59b8d6d45f3b34d35ce6986e9d205cd6f333e8e8d8e9c91f636e6bc84731b6661673f40963d8"
      },
      "ValidFrom": "2006-05-23 17:01:29",
      "ValidTo": "2016-05-23 17:11:29",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad",
      "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.",
      "TBS": {
        "MD5": "a8e2727ca2cb8705c02aaef015feb372",
        "SHA1": "94a0711ecebe96729e048ae1c7de9c4ba5c25ec4",
        "SHA256": "dd670882ef38bfeecfb2865ad06f52e36b07f99fbf5937b2ede58178d2221961",
        "SHA384": "508037c851d72d2bf8f35ba25436903a510d02d58f923b6d2c694a9a27f4a82b0b0953ee7b3c68078faafe3886a64aa4"
      },
      "ValidFrom": "2009-08-03 00:00:00",
      "ValidTo": "2012-08-03 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA",
      "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09