fdf4f85b-47f4-4c98-a0d5-a6583463f565

vmdrv.sys :inline :inline

Description

vmdrv.sys is a vulnerable driver and more information will be added as found.

  • UUID: fdf4f85b-47f4-4c98-a0d5-a6583463f565
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create vmdrv.sys binPath=C:\windows\temp\vmdrv.sys type=kernel && sc.exe start vmdrv.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/elastic/protections-artifacts/search?q=VulnDriver
  • https://github.com/elastic/protections-artifacts/search?q=VulnDriver

    • Known Vulnerable Samples

    PropertyValue
    Filenamevmdrv.sys
    Creation Timestamp2022-02-22 13:12:24
    MD5d5db81974ffda566fa821400419f59be
    SHA14c18754dca481f107f0923fb8ef5e149d128525d
    SHA25632cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351
    Authentihash MD5681bb8e9713477839a1ee8d87b498630
    Authentihash SHA168cdcd073e57f650c5d6173cd79af3a3526052f6
    Authentihash SHA25699ddeba6bcdc79e52e3ff8afc63dbe4b299161cf0f5558a2d7630c2a18daf2c6
    RichPEHeaderHash MD5f6ca8831520c235d28dbfa26ad735d55
    RichPEHeaderHash SHA1e8d1bb5697814956222cfbf5d0275766135f9ba0
    RichPEHeaderHash SHA256709e3c46eff74215c009624ce48e3d6d65a6e5237d38781232e9cb1844748fcf
    CompanyWindows (R) Win 7 DDK provider
    DescriptionVoicemod Virtual Audio Device (WDM)
    ProductWindows (R) Win 7 DDK driver
    OriginalFilenamevmdrv.sys

    Download

    Certificates

    Expand
    Certificate 0fb8a740b9158d035143bc59d9f04029
    FieldValue
    ToBeSigned (TBS) MD5b4a3c39dbd2935ac070032406fa082e4
    ToBeSigned (TBS) SHA1891bf1b0a017f5aadbc0d997fe63eb0ec25a1655
    ToBeSigned (TBS) SHA25681d8278fe4857a2dfa510a0af74deeb0623ef79e25fcf171644808a3ec652305
    SubjectC=US, O=DigiCert, Inc., CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
    ValidFrom2021-04-29 00:00:00
    ValidTo2036-04-28 23:59:59
    Signature3065023078bd4995657101d0465768650e68a9dc3608c1eefdd48edb40653f0dff93afc2ae6386a37ecbb4915a78ec070367077c023100e79f1ff1075bac34c638bcb5a550cee6ea387e3e7990e4a45bab020de807fc56a65a8addb350b2ddf2fa66749ed01663
    SignatureAlgorithmOID1.2.840.10045.4.3.3
    IsCertificateAuthorityTrue
    SerialNumber0fb8a740b9158d035143bc59d9f04029
    Version3
    Certificate 014d8930c6a3fceb0f4021734d5ed508
    FieldValue
    ToBeSigned (TBS) MD559e2799dd07c9a450f06c376eb220a48
    ToBeSigned (TBS) SHA18588e052171ee54d148087ef5e2b8cf81017d199
    ToBeSigned (TBS) SHA2563a0fbfc101d7832c403769e3f28cdfcea533abdd1461c09b134594a1d21aabe8
    Subject??=Private Organization, ??=ES, ??=Valencia, serialNumber=B98657844, C=ES, L=Valencia, O=Voicemod Sociedad Limitada, CN=Voicemod Sociedad Limitada
    ValidFrom2021-10-21 00:00:00
    ValidTo2023-01-19 23:59:59
    Signature3066023100fd8a9d376bf4399c7cb947c5fbb2e90bb3fdbcb37cab257ef47db016f1898e2d129241a757f039f8e7112b05a48632a60231009b75d4e2623fb9f54ce9ffc6ba7a661a5d2d54b096ddf6c510b2f6063981c15846e282779e9febffa39e5c9fad429646
    SignatureAlgorithmOID1.2.840.10045.4.3.3
    IsCertificateAuthorityFalse
    SerialNumber014d8930c6a3fceb0f4021734d5ed508
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • portcls.sys

    Imported Functions

    Expand
    • RtlInitUnicodeString
    • KeClearEvent
    • KeSetEvent
    • ExFreePool
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • ObReferenceObjectByHandle
    • ObfDereferenceObject
    • ExEventObjectType
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • ExSystemTimeToLocalTime
    • _purecall
    • KeInitializeDpc
    • KeFlushQueuedDpcs
    • KeInitializeMutex
    • KeReleaseMutex
    • KeInitializeTimerEx
    • KeCancelTimer
    • KeSetTimerEx
    • KeWaitForSingleObject
    • KeInitializeSpinLock
    • KeAcquireSpinLockRaiseToDpc
    • KeReleaseSpinLock
    • IoAllocateWorkItem
    • IoFreeWorkItem
    • IoQueueWorkItem
    • RtlIsNtDdiVersionAvailable
    • PcInitializeAdapterDriver
    • PcDispatchIrp
    • PcAddAdapterDevice
    • PcRegisterAdapterPowerManagement
    • PcNewServiceGroup
    • PcRegisterSubdevice
    • PcRegisterPhysicalConnection
    • PcNewPort

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "0fb8a740b9158d035143bc59d9f04029",
      "Signature": "3065023078bd4995657101d0465768650e68a9dc3608c1eefdd48edb40653f0dff93afc2ae6386a37ecbb4915a78ec070367077c023100e79f1ff1075bac34c638bcb5a550cee6ea387e3e7990e4a45bab020de807fc56a65a8addb350b2ddf2fa66749ed01663",
      "SignatureAlgorithmOID": "1.2.840.10045.4.3.3",
      "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1",
      "TBS": {
        "MD5": "b4a3c39dbd2935ac070032406fa082e4",
        "SHA1": "891bf1b0a017f5aadbc0d997fe63eb0ec25a1655",
        "SHA256": "81d8278fe4857a2dfa510a0af74deeb0623ef79e25fcf171644808a3ec652305",
        "SHA384": "17653c0976e1370da584b5eaf4a6deb1d3b7cad97c2f12592e7b96c5302b88bde20b30fa5963ef0ac9f2063083b48e9e"
      },
      "ValidFrom": "2021-04-29 00:00:00",
      "ValidTo": "2036-04-28 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "014d8930c6a3fceb0f4021734d5ed508",
      "Signature": "3066023100fd8a9d376bf4399c7cb947c5fbb2e90bb3fdbcb37cab257ef47db016f1898e2d129241a757f039f8e7112b05a48632a60231009b75d4e2623fb9f54ce9ffc6ba7a661a5d2d54b096ddf6c510b2f6063981c15846e282779e9febffa39e5c9fad429646",
      "SignatureAlgorithmOID": "1.2.840.10045.4.3.3",
      "Subject": "??=Private Organization, ??=ES, ??=Valencia, serialNumber=B98657844, C=ES, L=Valencia, O=Voicemod Sociedad Limitada, CN=Voicemod Sociedad Limitada",
      "TBS": {
        "MD5": "59e2799dd07c9a450f06c376eb220a48",
        "SHA1": "8588e052171ee54d148087ef5e2b8cf81017d199",
        "SHA256": "3a0fbfc101d7832c403769e3f28cdfcea533abdd1461c09b134594a1d21aabe8",
        "SHA384": "6df23072f503ec2ff425603e606c706a149144483579648653c5e1f40c64243b77cc021873ed46c5ac9597ba452f11fc"
      },
      "ValidFrom": "2021-10-21 00:00:00",
      "ValidTo": "2023-01-19 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1",
      "SerialNumber": "014d8930c6a3fceb0f4021734d5ed508",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09