-
-
Save schrodyn/45eab4f9229f116e2cfd2c427a84fdd6 to your computer and use it in GitHub Desktop.
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule LOLDrivers_58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "windows" | |
| $a1 = "windows" | |
| $a2 = "\\Registry\\User\\" | |
| $a3 = "\\Registry\\Machine\\" | |
| $a4 = "\\Registry\\Machine\\SOFTWARE\\Classes\\" | |
| $a5 = "buffer troppo piccolo" | |
| $a6 = "Processo: " | |
| $a7 = "\\Device\\Harddisk0\\DR0" | |
| $a8 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" | |
| $a9 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" | |
| $a10 = "PROTOCOLS\\FILTER" | |
| $a11 = "Software\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon\\Notify" | |
| $a12 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" | |
| $a13 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" | |
| $a14 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" | |
| $a15 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" | |
| $a16 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce" | |
| $a17 = "exefile\\shell\\open\\command" | |
| $a18 = "batfile\\shell\\open\\command" | |
| $a19 = "comfile\\shell\\open\\command" | |
| $a20 = "piffile\\shell\\open\\command" | |
| $a21 = "scrfile\\shell\\open\\command" | |
| $a22 = "chatfile\\shell\\open\\command" | |
| $a23 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\explorer\\run" | |
| $a24 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\drivers32" | |
| $a25 = "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" | |
| $a26 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" | |
| $a27 = "SOFTWARE\\Microsoft\\Internet Explorer\\Styles" | |
| $a28 = "SYSTEM\\CurrentControlSet\\Control\\SecurityProviders" | |
| $a29 = "SecurityProviders" | |
| $a30 = "system" | |
| $a31 = "SOFTWARE\\Microsoft\\Command Processor" | |
| $a32 = "SYSTEM\\ControlSet001\\Control\\Session Manager\\AppCertDlls" | |
| $a33 = "SYSTEM\\ControlSet001\\Control\\Session Manager\\SubSystems" | |
| $a34 = "windows" | |
| $a35 = "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SubSystems" | |
| $a36 = "SYSTEM\\CurrentControlSet\\Control\\Lsa" | |
| $a37 = "Notification Packages" | |
| $a38 = "Security Packages" | |
| $a39 = "PROTOCOLS\\FILTER\\Text/Html" | |
| $a40 = "PROTOCOLS\\FILTER\\Text/plain" | |
| $a41 = "\\InprocServer32" | |
| $a42 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad" | |
| $a43 = "SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar" | |
| $a44 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler" | |
| $a45 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks" | |
| $a46 = "SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units" | |
| $a47 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\explorer\\Browser Helper Objects" | |
| $a48 = "*\\shellex\\ContextMenuHandlers" | |
| $a49 = "DownloadInformation" | |
| $a50 = "CODEBASE" | |
| $a51 = "System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5\\Catalog_Entries" | |
| $a52 = "LibraryPath" | |
| $a53 = "System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries" | |
| $a54 = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" | |
| $a55 = "Debugger" | |
| $a56 = "System\\CurrentControlSet\\Services" | |
| $a57 = "\\Parameters" | |
| $a58 = "DisplayName" | |
| $a59 = "ServiceDll" | |
| $a60 = "Software\\Microsoft\\Internet Explorer\\Main" | |
| $a61 = "Default_Page_URL" | |
| $a62 = "Default_Search_URL" | |
| $a63 = "Search Bar" | |
| $a64 = "Search Page" | |
| $a65 = "Software\\Microsoft\\Internet Explorer\\Search" | |
| $a66 = "CustomizeSearch" | |
| $a67 = "SearchAssistant" | |
| $a68 = "SYSTEM\\CurrentControlSet\\Services\\VIRAGTLT" | |
| $a69 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\winlogon" | |
| $a70 = "SOFTWARE\\wow6432node\\microsoft\\windows nt\\currentversion\\winlogon" | |
| $a71 = "explorer.exe" | |
| $a72 = "DisableSvc" | |
| $a73 = "SYSTEM\\CurrentControlSet\\Services\\" | |
| $a74 = "ErrDisableSvc" | |
| $a75 = "REMOVE" | |
| $a76 = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" | |
| $a77 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\explorer.exe" | |
| $a78 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\monitor.exe" | |
| $a79 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\viritexp.exe" | |
| $a80 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\monlite.exe" | |
| $a81 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\userinit.exe" | |
| $a82 = "Lingua" | |
| $a83 = "SOFTWARE\\wow6432Node\\virit-lt" | |
| $a84 = "System" | |
| $a85 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\" | |
| $a86 = "BuildNumber" | |
| $a87 = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" | |
| $a88 = "\\SYSTEM\\CurrentControlSet\\Services\\winmgmt\\Parameters" | |
| $a89 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\windows" | |
| $a90 = "SOFTWARE\\virit-lt" | |
| $a91 = "cc\\backup.dll" | |
| $a92 = "cc\\ENGINE.DLL" | |
| $a93 = "backup.dll" | |
| $a94 = "ENGINE.DLL" | |
| $a95 = "upg\\backup.dll" | |
| $a96 = "upg\\ENGINE.DLL" | |
| $a97 = "upg\\BACKUP.DLL" | |
| $a98 = "cc\\BACKUP.DLL" | |
| $a99 = "backuplist.lst" | |
| $a100 = "\\Driver\\" | |
| $a101 = "\\Driver" | |
| $a102 = "%s -> DriverStartIo = %I64x" | |
| $a103 = "%s -> DriverStartIo = %I64x Hook in %s" | |
| $a104 = "%s -> DriverInit = %I64x" | |
| $a105 = "%s -> DriverInit = %I64x Hook in %s" | |
| $a106 = "%s -> MajorFunction[%s] = %I64x" | |
| $a107 = "%s -> MajorFunction[%s] = %I64x Hook in %s" | |
| $a108 = "\\BaseNamedObjects" | |
| $w0 = "\\DosDevices\\PhysicalDrive%d" wide | |
| $w1 = "\\Driver\\Disk" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {A89D0F3C80BA2EFA4AD19B824FD485E89055934BF7F60D66148A77E640B3B3A1578B70710D1DA0BE910852A87647DABCFA1A533625C67392C207017F04A54F20BFD89A08F47F074FB59F24A077223246F8DC9668E28D07118FC7FD6857D7DE34E9AE26D0E8A7EF0CDB674FFCF437DD6D03E20F12CFB1C40ABD4CA46F05AA4BF6A0E8FC363BB0297BAC40C754CA9C9C67FAD95EA9FD4D5E572794588B6CAF09CBDD09C72B82D2BA9A1781BF4950DA985BB6AEE2BA740CB9BAECD592AAC94472262F1595CA49E262D4154315B2410335084FD9E085C78AECA79B6BABDAB06C2C1C6FBDE4E8C9958670D94923C4144073B1C1C3F5731106657B17F76B19678E9753} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "!!!!Get NDIS Module Info failed!\n" | |
| $a1 = "NdisIMInitializeDeviceInstanceEx" | |
| $a2 = "NdisIMInitializeDeviceInstanceEx:%p\n" | |
| $a3 = "ndisFindMiniportOnGlobalList:%p %x %p\n" | |
| $a4 = "NdisMRegisterMiniportDriver" | |
| $a5 = "NdisMRegisterMiniportDriver:%p\n" | |
| $a6 = "init_nic_adapter error no ndis offset\n" | |
| $a7 = "EnumSysModule tcpip.sys failed!\n" | |
| $a8 = "OpenBlockSearchLen %d set->0x600\n" | |
| $a9 = "OpenBlockSearchLen %d set->0x800\n" | |
| $a10 = "tcpip base:%p TcpOpenBlock %p OpenBlockSearchLen %x\n" | |
| $a11 = "RootDeviceNameOff:%d %d %d %d \n" | |
| $a12 = "!!!ndis6 offset init failed!\n" | |
| $a13 = "CreateFileA" | |
| $a14 = "CloseHandle" | |
| $a15 = "CreateProcessA" | |
| $a16 = "WaitForSingleObject" | |
| $a17 = "LoadLibraryA" | |
| $a18 = "GetModuleHandleA" | |
| $a19 = "\\DosDevices\\" | |
| $a20 = "\\SystemRoot\\" | |
| $a21 = "Content-Type: application/octet-stream\r\n" | |
| $a22 = "Content-Length: %d\r\n\r\n" | |
| $a23 = "Content-Length:" | |
| $a24 = "Connection:" | |
| $w0 = "\\registry\\machine\\system\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\" wide | |
| $w1 = "IPAddress" wide | |
| $w2 = "DhcpIPAddress" wide | |
| $w3 = "DefaultGateway" wide | |
| $w4 = "RtlGetVersion" wide | |
| $w5 = "kerNel32.dll" wide | |
| $w6 = "\\Device\\Tcp4" wide | |
| $w7 = "\\DosDevices\\Tcp4" wide | |
| $m0 = {AE0051901C0274FA4D6322EDEF2FF7D1CC7F88A6F830FA9B21953A427799B887ACBA537A557BEF3677CEB6A075CA3C91F942B305C59C7CD60D9BA9F4824C71352B73134F7CC9DB2EB71CDA2DFE38BA90D075442EC7783A4A2EC5732C138139278E13E8B5C91B206F3B5DDFAB3855BD871710046C3C849C6760477A70C8952E1DFFFEAD14F55DEF82EB2F03B44196762467BA0C03ED322BC30B4576D5D4BB8C099FFB223FD2899C68DE000DB2F6D57ADC29600779DBB58AB1A869DAC451A5E975B0CCBCF139E3BD5C104DB5BB7B97593D58B8BFC2B0BBD4AD93C18E0E1E2A5F3CD4BB098FD920FE2801DC56554FA7E4FAB2C1178A7A6113870F2DA8F771A31C3D} | |
| $m1 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m2 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_ECO" wide | |
| $w1 = "\\DosDevices\\NTIOLib_ECO" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_3" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_3" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "passive cpu call for cpu %d\n" | |
| $a1 = "DBK loading..." | |
| $a2 = "Signed version" | |
| $a3 = "Loading driver\n" | |
| $a4 = "Registry path = %S\n" | |
| $a5 = "DriverString=%S\n" | |
| $a6 = "DeviceString=%S\n" | |
| $a7 = "ProcessEventString=%S\n" | |
| $a8 = "ThreadEventString=%S\n" | |
| $a9 = "Failed reading the value\n" | |
| $a10 = "Failed opening the key\n" | |
| $a11 = "IoCreateDevice failed\n" | |
| $a12 = "IoCreateSymbolicLink failed: %x\n" | |
| $a13 = "DriverObject=%p\n" | |
| $a14 = "Initializing debugger\n" | |
| $a15 = "Cleaning up initialization buffers\n" | |
| $a16 = "offset of LBR_Count=%d\n" | |
| $a17 = "Testing forEachCpu(...)\n" | |
| $a18 = "Testing forEachCpuAsync(...)\n" | |
| $a19 = "Testing forEachCpuPassive(...)\n" | |
| $a20 = "LVT_Performance_Monitor=%x\n" | |
| $a21 = "No exceptions test:" | |
| $a22 = "Leaving NoExceptions mode" | |
| $a23 = "Allocated test at %p\n" | |
| $a24 = "Allocated test2 at %p\n" | |
| $a25 = "A process without SeDebugPrivilege tried to open the dbk driver\n" | |
| $a26 = "Can not unload the driver because of debugger\n" | |
| $a27 = "ObOpenObjectByName=%p\n" | |
| $a28 = "Stopping processwatch\n" | |
| $a29 = "Removing process watch" | |
| $a30 = "Removing thread watch" | |
| $a31 = "Driver unloading\n" | |
| $a32 = "IoDeleteSymbolicLink: %x\n" | |
| $a33 = "Unregistering DRM handle" | |
| $a34 = "Touching debug register. inepilogue=\n" | |
| $a35 = "Initializing debugger events\n" | |
| $a36 = "DebuggerState.fxstate=%p\n" | |
| $a37 = "hooked int1. Int1JumpBackLocation=%x:%llx\n" | |
| $a38 = "Setting GD bit for cpu %d\n" | |
| $a39 = "Enabling LBR logging. IA32_DEBUGCTL was %x\n" | |
| $a40 = "Enabling LBR logging. IA32_DEBUGCTL is %x\n" | |
| $a41 = "Setting storeLBR to true\n" | |
| $a42 = "Setting storeLBR to false\n" | |
| $a43 = "Because your cpu_model=%d I think that your storeLBR_max=%d\n" | |
| $a44 = "debugger_setGlobalDebugState(%d)\n" | |
| $a45 = "Int 1 is hooked,%ssetting GD\n" | |
| $a46 = "oldEpilogueState=%d\n" | |
| $a47 = "debugger_startDebugging. Processid=%x\n" | |
| $a48 = "Stopping the debugger if it is running\n" | |
| $a49 = "Touching the debug registers\n" | |
| $a50 = "debugger_setGDBreakpoint(%d, %x, %d, %d)\n" | |
| $a51 = "debugger_continueDebugEvent\n" | |
| $a52 = "debugger_getDebuggerState\n" | |
| $a53 = "DebuggerState.LastLBRStack[%d]=%x\n" | |
| $a54 = "debugger_getDebuggerState was called while DebuggerState.LastStackPointer was still NULL" | |
| $a55 = "debugger_setDebuggerState was called while DebuggerState.LastStackPointer was still NULL" | |
| $a56 = "fsbase=%llx gsbase=%llx gskernel=%llx\n" | |
| $a57 = "Going to wait in a kernelmode routine\n" | |
| $a58 = "Woke up in a kernelmode routine\n" | |
| $a59 = "Waiting...\n" | |
| $a60 = "KeWaitForSingleObject=%x\n" | |
| $a61 = "Returning after a wait. handled=%d and eflags=%x\n" | |
| $a62 = "and in kernelmode\n" | |
| $a63 = "Breakpoint wasn't at passive level. Screw this, i'm not going to break here\n" | |
| $a64 = "Invalid debugregister\n" | |
| $a65 = "Invalid register value\n" | |
| $a66 = "WTF? GD is 1 in currentdebugregs[5]: %llx\n" | |
| $a67 = "setting RF because of B0\n" | |
| $a68 = "setting RF because of B1\n" | |
| $a69 = "setting RF because of B2\n" | |
| $a70 = "setting RF because of B3\n" | |
| $a71 = "cpu %d : interrupt %d is hooked\n" | |
| $a72 = "Restored\n" | |
| $a73 = "inthook_HookInterrupt for cpu %d (vmxusable=%d)\n" | |
| $a74 = "interrupt %d newCS=%x newEIP=%llx jumpbacklocation=%p\n" | |
| $a75 = "InterruptHook[%d].hooked=%d\n" | |
| $a76 = "vmxusable=%d\n" | |
| $a77 = "64-bit: DBVM is not loaded and a non dbvm hookable interrupt is being hooked that falls below 32\n" | |
| $a78 = "sizeof newVector=%d\n" | |
| $a79 = "My second kernelmode apc!!!!\n" | |
| $a80 = "SystemArgument1=%x\n" | |
| $a81 = "SystemArgument2=%x\n" | |
| $a82 = "My kernelmode apc!!!!(irql=%d)\n" | |
| $a83 = "NormalRoutine=%p\n" | |
| $a84 = "NormalContext=%p\n" | |
| $a85 = "SystemArgument1=%p\n" | |
| $a86 = "SystemArgument2=%p\n" | |
| $a87 = "(PVOID)KThread=%p\n" | |
| $a88 = "addresstoexecute=%p\n" | |
| $a89 = "PID %d opened a handle to the a CE thread with access mask %x" | |
| $a90 = "PID %d duplicated a handle to a CE thread with access mask %x" | |
| $a91 = "PID %d(%p) opened a handle to the CE process(%p) with access mask %x" | |
| $a92 = "DispatchIoctlDBVM\n" | |
| $a93 = "DispatchIoctl called by a process without SeDebugPrivilege" | |
| $a94 = "GetMemoryRegionData error" | |
| $a95 = "GetMemoryRegionData returned %x\n" | |
| $a96 = "protection=%x\n" | |
| $a97 = "length=%p\n" | |
| $a98 = "BaseAddress=%p\n" | |
| $a99 = "IOCTL_CE_READPHYSICALMEMORY:pinp->startaddress=%x, pinp->bytestoread=%d" | |
| $a100 = "IOCTL_CE_GETMEMORYRANGES\n" | |
| $a101 = "Obsolete\n" | |
| $a102 = "IOCTL_CE_LAUNCHDBVM\n" | |
| $a103 = "Returned from vmxoffload()\n" | |
| $a104 = "IOCTL_CE_USERDEFINEDINTERRUPTHOOK\n" | |
| $a105 = "IOCTL_CE_UNHOOKALLINTERRUPTS for cpu %d\n" | |
| $a106 = "IOCTL_CE_DEBUGPROCESS\n" | |
| $a107 = "IOCTL_CE_STARTPROCESSWATCH\n" | |
| $a108 = "calling PsSetCreateProcessNotifyRoutine\n" | |
| $a109 = "CreateProcessNotifyRoutineEnabled worked\n" | |
| $a110 = "CreateProcessNotifyRoutineEnabled failed (r=%x)\n" | |
| $a111 = "CE_SUSPENDTHREAD\n" | |
| $a112 = "CE_RESUMETHREAD\n" | |
| $a113 = "IOCTL_CE_SUSPENDPROCESS\n" | |
| $a114 = "IOCTL_CE_RESUMEPROCESS\n" | |
| $a115 = "Switched Process\n" | |
| $a116 = "Calling ZwAllocateVirtualMemory\n" | |
| $a117 = "Before call: BaseAddress=%p\n" | |
| $a118 = "Before call: RegionSize=%x\n" | |
| $a119 = "ntStatus=%x\n" | |
| $a120 = "RegionSize=%x\n" | |
| $a121 = "Alloc success. Cleaning memory... (size=%d)\n" | |
| $a122 = "address=%p\n" | |
| $a123 = "IOCTL_CE_MAP_MEMORY\n" | |
| $a124 = "address %x size %d\n" | |
| $a125 = "Exception\n" | |
| $a126 = "From kernel or self\n" | |
| $a127 = "IoAllocateMdl success\n" | |
| $a128 = "Exception part 2\n" | |
| $a129 = "To kernel or self\n" | |
| $a130 = "IOCTL_CE_LOCK_MEMORY" | |
| $a131 = "MmProbeAndLockPages succeeded" | |
| $a132 = "Locked the page\n" | |
| $a133 = "IOCTL_CE_UNLOCK_MEMORY" | |
| $a134 = "PsGetProcessImageFileName==NULL" | |
| $a135 = "IOCTL_CE_CONTINUEDEBUGEVENT\n" | |
| $a136 = "IOCTL_CE_GETDEBUGGERSTATE\n" | |
| $a137 = "Exception happened\n" | |
| $a138 = "ntStatus=%x rax=%x\n" | |
| $a139 = "IOCTL_CE_SETDEBUGGERSTATE: state->rax=%x\n" | |
| $a140 = "Calling debugger_setStoreLBR(%d)\n" | |
| $a141 = "IOCTL_CE_EXECUTE_CODE\n" | |
| $a142 = "Exception occured\n" | |
| $a143 = "IOCTL_CE_GETVERSION. Version=%d\n" | |
| $a144 = "Output: %llx\n" | |
| $a145 = "Error while writing value\n" | |
| $a146 = "IOCTL_CE_ULTIMAP2" | |
| $a147 = "IOCTL_CE_ULTIMAP:\n" | |
| $a148 = "ultimap(%I64x, %I64x, %d):\n" | |
| $a149 = "IOCTL_CE_STARTACCESMONITOR(%d)\n" | |
| $a150 = "IOCTL_CE_ENUMACCESSEDMEMORY(%d)\n" | |
| $a151 = "IOCTL_CE_GETACCESSEDMEMORYLIST\n" | |
| $a152 = "return from IOCTL_CE_GETACCESSEDMEMORYLIST\n" | |
| $a153 = "IOCTL_CE_INITIALIZE\n" | |
| $a154 = "Still here, so vmx is loaded. vmx_version=%x\n" | |
| $a155 = "Exception happened. This means no vmx installed, or one of the passwords is wrong\n" | |
| $a156 = "Virtualization_Enabled=0\n" | |
| $a157 = "inp->PreferedAltitude=%p" | |
| $a158 = "DRMProcess=%p" | |
| $a159 = "DRMProcess2=%p" | |
| $a160 = "Activating CE's super advanced DRM" | |
| $a161 = "RandomVal=%d" | |
| $a162 = "wcAltitude=%S" | |
| $a163 = "ntStatus=%X" | |
| $a164 = "ZwQueryInformationProcess failed" | |
| $a165 = "IOCTL_CE_QUERYINFORMATIONPROCESS" | |
| $a166 = "NULL ProcessInformationAddress" | |
| $a167 = "outp->result=%x" | |
| $a168 = "outp->returnLength=%x" | |
| $a169 = "Exception" | |
| $a170 = "Unhandled IO request: %x\n" | |
| $a171 = "IsAddressSafe dbvm-mode: lastError=%p\n" | |
| $a172 = "Enabled CR0.WP" | |
| $a173 = "lastError=%p\n" | |
| $a174 = "ReadPhysicalMemory(%p, %d, %p)" | |
| $a175 = "Invalid physical address\n" | |
| $a176 = "ReadPhysicalMemory:viewBase.QuadPart=%x" | |
| $a177 = "Failure mapping physical memory" | |
| $a178 = "ReadPhysicalMemory error:ntStatus=%x" | |
| $a179 = "Error while reading physical memory\n" | |
| $a180 = "RtlGetVersion failed" | |
| $a181 = "Excepion while walking the paging layout\n" | |
| $a182 = "GetMemoryRegionData failed because pagebase == 0" | |
| $a183 = "Exception in GetMemoryRegionData\n" | |
| $a184 = "mempointer=%p" | |
| $a185 = "Exception during NoExceptions_Enter. Figures" | |
| $a186 = "Exception during ObOpenObjectByPointer" | |
| $a187 = "Duplicate PID detected..." | |
| $a188 = "Added handle %x for pid %d to the list (newElement=%d r=%p)" | |
| $a189 = "Process %d destruction. r=%p" | |
| $a190 = "Process that was in the list has been closed" | |
| $a191 = "CE Closed" | |
| $a192 = "Allocated a process at:%p\n" | |
| $a193 = "There are %d processes in the list\n" | |
| $a194 = "CreateProcessNotifyRoutineEx" | |
| $a195 = "Found a handle for PID %d (%x)" | |
| $a196 = "Going to suspend this thread\n" | |
| $a197 = "Suspending thread....\n" | |
| $a198 = "x should be %p" | |
| $a199 = "Thread not found in the list\n" | |
| $a200 = "Going to resume this thread\n" | |
| $a201 = "Calling perfmon_interrupt_centry() manually\n" | |
| $a202 = "ultimap_flushBuffers\n" | |
| $a203 = "ultimap_flushBuffers_all has returned\n" | |
| $a204 = "ultimap_continue\n" | |
| $a205 = "Released semaphore\n" | |
| $a206 = "perfmon_interrupt_centry\n" | |
| $a207 = "Entry threadid=%d\n" | |
| $a208 = "ExAllocatePool has failed\n" | |
| $a209 = "Writing buffer to disk\n" | |
| $a210 = "Done Writing. Result=%x\n" | |
| $a211 = "Waiting till there is a block free\n" | |
| $a212 = "Acquired semaphore. Now picking a usable datablock\n" | |
| $a213 = "Acquired mutex. Looking for a Datablock that can be used\n" | |
| $a214 = "Calling KeSetEvent/KeWaitForSingleObject\n" | |
| $a215 = "if ((DataBlock) && (KeWaitForSingleObject(&DataBlockSemaphore, Executive, KernelMode, FALSE, NULL) == STATUS_SUCCESS)) failed\n" | |
| $a216 = "ultimap(%I64x, %I64x, %d)" | |
| $a217 = "ExAllocatePool failed\n" | |
| $a218 = "APIC_BASE->LVT_Performance_Monitor.a=%x\n" | |
| $a219 = "vmxusable is false. So no ultimap for you!!!\n" | |
| $a220 = "ultimapapc call for cpu %d ( IF=%d IRQL=%d)\n" | |
| $a221 = "ultimapapcnormal call for cpu %d ( IF=%d IRQL=%d)\n" | |
| $a222 = "after KeInsertQueueApc" | |
| $a223 = "permon_return" | |
| $a224 = "Creating file %S" | |
| $a225 = "ZwCreateFile=%x\n" | |
| $a226 = "HalSetSystemInformation returned %x\n" | |
| $a227 = "Failure allocating DataBlock and DataReadyPointerList\n" | |
| $a228 = "suspendThread event triggered" | |
| $a229 = "Failed to suspend target\n" | |
| $a230 = "Exception in suspendThread thread\n" | |
| $a231 = "ultimap2_continue(%d)" | |
| $a232 = "MappedAddress was 0" | |
| $a233 = "%d DataProcessed" | |
| $a234 = "ultimap2_waitForData wait returned %x" | |
| $a235 = "MmMapLockedPagesSpecifyCache returned address %p\n" | |
| $a236 = "ultimap2_waitForData: Failure mapping memory into waiter process. Count=%d" | |
| $a237 = "ToPABuffer2MDL is NULL. Not even gonna try" | |
| $a238 = "ultimap2_waitForData flushsize was 0" | |
| $a239 = "ultimap2_waitForData returned %x\n" | |
| $a240 = "OutputPath=%S" | |
| $a241 = "Buffer=%S" | |
| $a242 = "%d: ZwCreateFile=%x\n" | |
| $a243 = "%d: WorkerThread(%p, %d)=%x\n" | |
| $a244 = "KeWaitForSingleObject(DataProcessed)=%x" | |
| $a245 = "Unexpected physical address while writing results for cpu %d (%p)" | |
| $a246 = "%d Not all data recorded\n" | |
| $a247 = "%d:Flushing because of interrupt" | |
| $a248 = "bufferWriterThread active" | |
| $a249 = "bufferWriterThread: Terminating" | |
| $a250 = "FlushData event set and not suspended. Suspending target process\n" | |
| $a251 = "Still going to suspend target process" | |
| $a252 = "After the target has been suspended (isSuspended=%d)\n" | |
| $a253 = "Flushing full CPU's" | |
| $a254 = "PInfo[%d]->Interrupted\n" | |
| $a255 = "Resuming target process" | |
| $a256 = "Unexpected wait result" | |
| $a257 = "ultimap2_flushBuffers" | |
| $a258 = "ultimap2_flushBuffers exit" | |
| $a259 = "PMI: Failed to clear the status\n" | |
| $a260 = "PMI: IA32_RTIT_OUTPUT_MASK_PTRS=%p\n" | |
| $a261 = "PMI: IA32_RTIT_STATUS=%p\n" | |
| $a262 = "PMI %d: Not all data recorded (AT THE PMI!)\n" | |
| $a263 = "PMI: IA32_RTIT_OUTPUT_MASK_PTRS %p\n" | |
| $a264 = "Unexpected PMI" | |
| $a265 = "PMI exception" | |
| $a266 = "ultimap2_disable_dpc for cpu %d\n" | |
| $a267 = "temp disable\n" | |
| $a268 = "%d: disable all\n" | |
| $a269 = "ultimap2_disable_dpc exception" | |
| $a270 = "ultimap2_setup_dpc: IA32_RTIT_CTL in unreadable" | |
| $a271 = "Failed to set the actual CR3. Using a sanitized CR3: %llx\n" | |
| $a272 = "Writing range %d to msr %x and %x" | |
| $a273 = "Value before=%llx" | |
| $a274 = "Error in ultimap2_setup_dpc. i=%d" | |
| $a275 = "BufferSize=%x\n" | |
| $a276 = "Allocated OutputBuffer at %p" | |
| $a277 = "setupToPA (Single ToPA System): Failure allocating output buffer" | |
| $a278 = "setupToPA (Single ToPA System): Failure allocating header for buffer" | |
| $a279 = "setupToPA: Failure allocating output buffer" | |
| $a280 = "setupToPA: Failure allocating header for buffer" | |
| $a281 = "Failure allocating table" | |
| $a282 = "Interrupt at index %d" | |
| $a283 = "SetupUltimap2\n" | |
| $a284 = "Single ToPA System" | |
| $a285 = "Ultimap2: SaveToFile==TRUE: OutputPath=%S" | |
| $a286 = "Ultimap2: Runtime processing" | |
| $a287 = "Split kernel/usermode pages\n" | |
| $a288 = "CurrentCR3=%llx\n" | |
| $a289 = "Failure getting CR3 for this process" | |
| $a290 = "Failure getting the EProcess for pid %d" | |
| $a291 = "No Suspend/Resume support" | |
| $a292 = "ToPAHeader=%p ToPABuffer=%p Size=%x" | |
| $a293 = "ToPAHeader2=%p ToPABuffer2=%p Size=%x" | |
| $a294 = "Registering PMI handler\n" | |
| $a295 = "Failure hooking the permon interrupt. Ultimap2 will not be able to use interrupts until you reboot (This can happen when the perfmon interrupt is hooked more than once. It has no restore/undo hook)\n" | |
| $a296 = "UnregisterUltimapPMI()\n" | |
| $a297 = "1: HalSetSystemInformation to disable returned %x\n" | |
| $a298 = "2: HalSetSystemInformation to disable returned %x\n" | |
| $a299 = "3: HalSetSystemInformation to disable returned %x\n" | |
| $a300 = "UnregisterUltimapPMI() not needed\n" | |
| $a301 = "-------------------->DisableUltimap2<------------------" | |
| $a302 = "-------------------->DisableUltimap2:Stage 1<------------------" | |
| $a303 = "Waiting for SuspendThreadHandle" | |
| $a304 = "Waiting for Ultimap2Handle" | |
| $a305 = "Waiting for WriterThreadHandle[%d]" | |
| $a306 = "Finished terminating ultimap2" | |
| $a307 = "-------------------->DisableUltimap2:Finish<------------------" | |
| $a308 = "Fetching the APIC base\n" | |
| $a309 = "Physical_APIC_BASE=%p\n" | |
| $a310 = "vmx_getversion()\n" | |
| $a311 = "vmx_redirect_interrupt1: redirecttype=%d int1cs=%x int1eip=%llx sizeof(vmcallinfo)=%x\n" | |
| $a312 = "vmx_redirect_interrupt3: int3cs=%x int3eip=%x sizeof(vmcallinfo)=%x\n" | |
| $a313 = "vmx_redirect_interrupt14: int14cs=%x int14eip=%x sizeof(vmcallinfo)=%x\n" | |
| $a314 = "vmx_ultimap(%I64x, %I64x, %I64x)\n" | |
| $a315 = "vmx_add_memory(%p,%d)\n" | |
| $a316 = "vmx_add_memory(vmx_password1=%x,vmx_password2=%x)\n" | |
| $a317 = "structsize at offset %d\n" | |
| $a318 = "level2pass at offset %d\n" | |
| $a319 = "command at offset %d\n" | |
| $a320 = "PhysicalPages[0] at offset %d\n" | |
| $a321 = "PhysicalPages[1] at offset %d\n" | |
| $a322 = "vmx_add_memory(%p,%d) gave an exception at part %d with exception code %x\n" | |
| $a323 = "First time run. Initializing vmm section" | |
| $a324 = "Allocated memory at virtual address %p (physical address %I64x)\n" | |
| $a325 = "(physical address %I64x)\n" | |
| $a326 = "File bigger than 4MB. Big retard detected\n" | |
| $a327 = "Read failure\n" | |
| $a328 = "The startsector=%d (that's offset %d)\n" | |
| $a329 = "Setting up initial paging table for vmm\n" | |
| $a330 = "&NewGDTDescriptor=%p, &NewGDTDescriptor.limit=%p, &NewGDTDescriptor.base=%p\n" | |
| $a331 = "NewGDTDescriptor.limit=%x\n" | |
| $a332 = "NewGDTDescriptor.base=%p\n" | |
| $a333 = "Before enterVMM2 alloc: maxPA=%I64x\n" | |
| $a334 = "enterVMM is located at %p (%I64x)\n" | |
| $a335 = "enterVMM2 is located at %p (%I64x)\n" | |
| $a336 = "Copying function till end\n" | |
| $a337 = "Failure allocating enterVMM2\n" | |
| $a338 = "Allocating memory for the temp pagedir\n" | |
| $a339 = "TemporaryPagingSetup==NULL!!!\n" | |
| $a340 = "TemporaryPagingSetup is located at %p (%I64x)\n" | |
| $a341 = "TemporaryPagingSetupPA = (%I64x) (Should be %I64x)\n" | |
| $a342 = "Setting up temporary paging setup for x64\n" | |
| $a343 = "originalstatePA=%llx\n" | |
| $a344 = "Opened and processed: %S\n" | |
| $a345 = "Failure opening the file. Status=%x (filename=%S)\n" | |
| $a346 = "Failure allocating the required 4MB\n" | |
| $a347 = "initializedvmm=%d\n" | |
| $a348 = "Storing original state\n" | |
| $a349 = "originalstate->cpucount=%d" | |
| $a350 = "originalstate->originalLME=%d" | |
| $a351 = "originalstate->cr0=%I64x" | |
| $a352 = "originalstate->cr2=%I64x" | |
| $a353 = "vmxoffload_override\n" | |
| $a354 = "vmxoffload_override: mi=%p\n" | |
| $a355 = "vmxoffload_override: mi->list=%p\n" | |
| $a356 = "vmx_add_memory returned %x\n" | |
| $a357 = "Error: SystemArgument1=NULL\n" | |
| $a358 = "Created a hash algoritm\n" | |
| $a359 = "Valid signature" | |
| $a360 = "Signature failure: %x\n" | |
| $a361 = "ImportKeyPair fail\n" | |
| $a362 = "OpenSignAlgoritm fail\n" | |
| $a363 = "FinishHash Failed\n" | |
| $a364 = "Failed allocating pbHashBuffer\n" | |
| $a365 = "BCRYPT_OBJECT_LENGTH hash failure\n" | |
| $a366 = "Failure hashing data\n" | |
| $a367 = "CreateHash failed\n" | |
| $a368 = "Failure allocating room for pbHashObject\n" | |
| $a369 = "BCRYPT_OBJECT_LENGTH alg failure\n" | |
| $a370 = "Failed getting a hash algoritm\n" | |
| $a371 = "Failure duplicating path: %x\n" | |
| $a372 = "Failure loading %S\n" | |
| $w0 = "PsSuspendProcess" wide | |
| $w1 = "PsResumeProcess" wide | |
| $w2 = "PsRemoveCreateThreadNotifyRoutine" wide | |
| $w3 = "ObOpenObjectByName" wide | |
| $w4 = "NtProtectVirtualMemory" wide | |
| $w5 = "\\device\\physicalmemory" wide | |
| $w6 = "PsGetProcessImageFileName" wide | |
| $w7 = "ObjectLength" wide | |
| $w8 = "HashDigestLength" wide | |
| $w9 = "ECCPUBLICBLOB" wide | |
| $m0 = {94EF65F8B5579FA0530D3406EB091FB747186ACBF05BE4FF27A534D1F7891ABF9EB1CD12416E66D481A0858B645A462F99A08D77B1E2BC5CDD22D76A67D0BBE8CA74DE8B4F0DB052E5905BEB470EF1E79F9C0B90653E17963045726D39A11736CAB9A08C1B4F0819F68131AD6116A462E6B4409EC3FCFB95F6FBB52E958198E0EFC5EBD802597877F7AAE3526B509129C5FCF7CD9365D2606122F206FB32DD1651FA0EFD8A30F01709A7BBF304AEAB90E76CDF7AA9F4EFC462275F6F996D3874AA118BDADFC7144CE985B2ECC27D4A268FE756BAA6E0CF92538074F403EC68B260BC842000831BA1EEB47405C1298E62D047B1FAF053CC18F92E3BF9707EB425} | |
| $m1 = {CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C669858217} | |
| $m2 = {B017AEA2D3B60430561E580FB1ED55A4D654CBD8F6733AEC5D5EAB25FD36A5FA84C36140C546B559523B42A22E5F136210A95BE673D69225B17D23E306B3873A0E43F0D7008953A2113152286E5D40723CF20977A7499297D46C90A076A7FDB8DCB39DF207602C4F5898006BD31554E0FADDFF802C5F18A698FFD4ABECA14559B22E6F625DE0D919AC8B579CA8262BD917A510D247081A702C338B7F68802AB5A15D6BDD8D02022903AA7C37BBBB294E3D5393B3A6FA8FD25893154CB92DAB80A3A325FBAFF70864B07A440F5C10D75F6137AA4E6BD3D253259D8273FA2CF972B0A919392A50FAA9D03C3ACAE85BEFF55F51F4F90AD99735DE6A85E6230442AF} | |
| $m3 = {D9B7BA25AD94F35BBE41061C53CA0C108C514159337964F4579DE4D525C4EC50845898727940E22F78D492EA260E9EAE957CFBC4FD7144DD8C5FB7238B5EBBF4FC4BCB233DC37603F5D18C45BC71751D8BD28989BEE3513DC6C88AB23135076EB9F5BA6A0DF4109FAED56249287BEC57BAAB327CB17DD2A2560636EEB0EFD06AAEEAAB1FD60D9F7C96FBAD70992D5D95F080D07946EC553ACCD338FB0407A807758282E0D07E77B88FEBD228FCAE6D1468417F7643D748BA6044E1B772E8D0F020037BDADAB40675C7B203DEF894C6688F5E7B9E9B9D36E0CED26BC6C66BE91422B5717EB68F5A1FDBE76EF442109068E62B45104F73BA2CD7C5316A72DD6373} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| $m5 = {D935FF1573EDA2A58A71BE758DD64DD012DF0B937C9609C4E69B40C6913948F73BC0B6DC3BC955BD4DDCE93638B7B3ECF790D0734BB74C903E6420F076793C429986EF6CF7FB01A74CEED091911FD72AA9497A60A6022568B991875F23E4A21D0D11CAD6E957BCDA4C8F9E0AA73084688D2A9B629C94988FE948BD5F41CF2757CA5327670741FDE9879B03D0282B82AE4A4CA396292BF5BA630A8211FE454420AD0C14C00BD224907B96B93F2BBD0A68382B92C362B564433C85D1F99D3607EFEADD247B0073A313D2534588CA45F39C923498DEC64B643C49B0D1CF62638ADA1D12320D351CE26F88A3EF2900E55DA8C0C8ED610243D20AA1D63BCADBD7BCE7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\WCPU" wide | |
| $w1 = "\\DosDevices\\WCPU" wide | |
| $w2 = "\\Device\\PhysicalMemoryToLinear" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {A12E19AC5DBA00553B090B9CC105805B17736BB9031167C15CD22498D617B97E234A2A556FD78F6ACECE16EAECF728404AE3DFE5E5E08F77EC1F4AE09F96A65329FD871B2FE68CB35E8B15D2D9D30C54E561B393667CA2E8FA1B6C0894A4A2200DDDFD067B532CDCE0246CFBE440336570BE365C97623E99619A3313916B536B} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "PHDIoStartIo: CmdOutputCount %d" | |
| $a1 = "PHDIoCancelIrp: Cancelling %x %I" | |
| $a2 = "Create File is %T" | |
| $a3 = "DeviceIoControl: %d bytes written" | |
| $a4 = "DeviceIoControl: Control code %x InputLength %d OutputLength %d" | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {DE4ED4BA1EDB9F5BEFF8340D947CFF92D4E112B2164D0980F7358F7F8C3E24F03352F9FEFC42506BC75EF5F8A342D423FEA1F0F773D95E4ADA32961CF85F6409F44EF595E07E87251A98B4EE817FF981C1B47C442D7FD851BB647D7BF7E31A45E837F52571052CB573EDAD9D6A707D63775A0771A5C540A1F4BFE2004197F933} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSISimple_OC" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSISimple_OC" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "GetDevicePropertyString: IoGetDeviceProperty() for property request returned %x\n" | |
| $a1 = "GetDevicePropertyString: Could not allocate %d bytes of memory\n" | |
| $a2 = "GetDevicePropertyString: IoGetDeviceProperty() get property field size returned %x\n" | |
| $w0 = "HalGetBusDataByOffset" wide | |
| $w1 = "\\Driver\\ACPI" wide | |
| $w2 = "\\Driver\\PCI" wide | |
| $m0 = {B64910BD70129569B3C8BADE8AC72F7741EB33B405FF89A7162FC2F32D2A693EF21A47D5B74E77A1B1FB19C2497E52407F55BDFE1D5CFB19577EC7C42DB38C549CC032EDC0F1601267F163204D36AAC58513FDD37DA39DE7E0DB38C3A30842120E16281EF499CD2B6522E85C66B88C4CFB3556F76ABCB0671F7795207D8CD40D5C5C8E0D2304D66EF8176472BB3C42F9F83F89DB337071ACAC1ADF16171ACFC853B127B8C2327670E86C5825A3F2F4006C29ADEFCA3D28BA8978321EC1BDD2FD2764BD028F7F2F8B4F675CA34830600D4FA7B144DBEC7745B139F0C6B0D60DBB112015A6C1AF3EB2020C05BC04AB8EF6EB55B506FB98AE80E57C0FCC111DAA73} | |
| $m1 = {A39C308409A7632ECF0A47F0EA24F9A330200F5E573126819A3107B250D4CE670908650A5AA54BAED5ED102EE7A599B59F682F988B5802AC20B429C471BD281CA5FD3C9B64E4C5EBDF6125BCF0EE68BFD1A7CB7E2A02814E645C0C53867957193761B798F90CA04E22599BF91B2D673C273C569066E3FD7F657D0F86BD3547E88ACCF4DA8EE96A4EABA755ECA2891ED5334553CBF99E77BDCD2CF905B87F74011DE8FB18E143D10DE9AADC376FBDFEB80FED1D4D01464E0AACFC82E8EC5683138E3A01ED146474EA64B26610B6686DC870007D50482E3D43EEE02495C6CD8EC7FDB8E495CFDD7EFB955EA101CD43B107D7A430EE9B861A2A6EC10B59A2746F8B} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\OpenLibSys" wide | |
| $w1 = "\\DosDevices\\OpenLibSys" wide | |
| $m0 = {C6BCD918CF65D1873C8AFC9A0942B968C9F0BD6807B070611D73DFACDDF6BEDC36127E5C6079BE65640F2C12A65CB053C97A98011588C787BD81902DAD544B4C0CDA4DCF87A1D155CEC97BE3ACCA492FBB2222210D6ECE8421DD6B0A3F7FA02952C441029D8FBD2392A35BAB14FDFB5C7A6B9CC71AE6E4D6C9FCECE71D916EA62B6337EE7BF76FBD6137AD7E690A2FC6EB34BB3E09E8A9806DEC1A9D897A93336BE05307278ACEC04DA7E20A92FC5FF15716E863E7D251F50D8E892DB6C291C04592488087522D84F46D7201E5CF9BD831FE2BA6AAA5397F3AC78A7AD5FB27A0FC8CDE13C0F280FE92FEA842D30F49A793BA0C64B408D6B8C2FD02EA475DBAE7} | |
| $m1 = {BDEF30F130F134A98965774D46A78D90FDAE4F8ECA2817BA59E3A8920A45032A8A8FE50950555281F0A391B1D9122A81F6C2031C3C82C072CDF1A700D7F5549C0A47EE9A9541928EA0AD093DD3EBA274AD9F192009B67DA65E359F4F396A03B58AAD1F96626B17B9AB8760D55D6DD992C9D013AED488D950A8449104B0EA47EA5FB2ED04C1D7017C21F8C47123FC6B4C654433C38D1DE6D2661C522946C406E70B35F05901660089CF9CE37B78AA53E2EEAC3595E7FD5DD7429495D31A6E315547D7EBADC74C9F5471831A17C8F9E7CE5801F436BFAE3F599F657C40075C732034A212C349F46840691E89E085E93AB79763BB47B0396B41007EF54BB87FE321} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {CDCB1B731DA7FFDFC3AE4782C100F2913C1080D775E6A2E0B08AF86B73C248F9D98482DB6FBEAEBF56529935AFD6C2E3E2D1D4B6A79350720480F4C96B15F3FC7C3B584F77E24904628B999062038592FE0C6BDF41C4B28D581E88B9106104B4C7839CC2B116D6BD649507F9F9A65A3991523A2C27F8D0DCD31A9A598510B50061253B3D1317C8114C76A6FE4C61CC59D2C44330215C1540094F73E1C195A465668FDBD3A83011F9C5AC131150A84FB7541FECAF991A39A0ED2803117BBAB0B2FB843EB6F8744B899B990A9AE7F8894DB889C9B4A500339065C44260CEBC43423813D5DE5B6BA24ED13F4A3945675801B82353EF370766017FBF6709050BE7BF} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Nal Windows Driver Unload: IoDeleteDevice NOT called: NULL DeviceObject\n" | |
| $a1 = "Nal Windows Driver Unload: Leaving... \n" | |
| $a2 = "Nal Windows Driver Unload: Starting\n" | |
| $a3 = "Nal Windows DriverAddDevice: done\n" | |
| $a4 = "Nal Windows DriverIoCreateSymbolicLink failed. Status = 0x%x\n" | |
| $a5 = "Nal Windows DriverIoCreateDevice failed. Status = 0x%0x\n" | |
| $a6 = "Nal Windows DriverAddDevice: entered\n" | |
| $a7 = "Nal Windows DriverCreate: Leaving\n" | |
| $a8 = "Nal Windows DriverCreate: Starting\n" | |
| $a9 = "Nal Windows DriverClose: Leaving\n" | |
| $a10 = "Nal Windows DriverClose: Starting\n" | |
| $a11 = "NalDeviceControl: InputBuffer was NULL\n" | |
| $a12 = "Nal Windows DriverDeviceControl: Invalid IOCTL code 0x%0x\n" | |
| $a13 = "NAL_ENABLE_DEBUG_PRINT_FUNCID: FunctionData is NULL\n" | |
| $a14 = "NAL_KKMEMCPY_FUNCID: One of the buffers was NULL\n" | |
| $a15 = "NAL_KUMEMCPY_FUNCID: One of the buffers was NULL\n" | |
| $a16 = "NAL_KMEMSET_FUNCID: One of the buffers was NULL\n" | |
| $a17 = "Kernel: " | |
| $a18 = "_NalWinGetUserAddress: Unable to allocate MDL\n" | |
| $a19 = "_NalWinGetUserAddress: Address To Free = 0x%p\n" | |
| $a20 = "_NalWinGetUserAddress: MmMapLockedPages failed. Freeing MDL\n" | |
| $a21 = "_NalWinGetUserAddress: KernelLevelAddress = 0x%p\n" | |
| $a22 = "_NalWinGetUserAddress: Using memory map table slot %d - Length %d\n" | |
| $a23 = "NalUnmapAddress: Unmapping non-usermode mapped address 0x%p, Length %d\n" | |
| $a24 = "NalUnmapAddressEx: Address not found in table - not unmapping 0x%p, Length %d\n" | |
| $a25 = "NalUnmapAddressEx: Global_WinMemoryMapTable[i].AddressToFree = %p\n" | |
| $a26 = "NalUnmapAddressEx: Unmapping OriginalMemoryMapped\n" | |
| $a27 = "NalUnmapAddressEx: Skipped MmUnmapLockedPages - AddressToFree or Mdl was NULL\n" | |
| $a28 = "NalUnmapAddressEx: Calling MmUnmapLockedPages\n" | |
| $a29 = "NalUnmapAddressEx: Slot %d matched\n" | |
| $a30 = "NalUnmapAddressEx: Global_WinMemoryMapTable[%d].MappedAddress = 0x%p == 0x%p\n" | |
| $a31 = "NalUnmapAddressEx: Looking to unmap 0x%p, Length %d, ProcessId %d\n" | |
| $a32 = "_NalAllocateMemoryNonPaged - MmAllocateContiguousMemory failed\n" | |
| $a33 = "_NalAllocateMemoryNonPaged - VirtualAddress = 0x%p\n" | |
| $a34 = "_NalAllocateMemoryNonPaged - MmMapLockedPages failed. Freeing MDL\n" | |
| $a35 = "_NalFreeMemoryNonPagedEx: Memory entry 0x%p is not entered into the table. Not freeing anything.\n" | |
| $a36 = "NalMmapAddressEx: *VirtualAddress = 0x%p (mapped to user)\n" | |
| $a37 = "NalMmapAddressEx: *VirtualAddress = 0x%p (not mapped to user)\n" | |
| $a38 = "NalMmapAddressEx: Vaddress = 0x%p\n" | |
| $a39 = "Translated" | |
| $a40 = "Looking for match for %d/%d/%d\n" | |
| $a41 = "_NalReadPciDeviceCount found %d devices (%d)\n" | |
| $a42 = "c:\\users\\cloudbuild\\337244\\sdk\\nal\\src\\winnt_wdm\\driver\\windriverpci_i.c" | |
| $a43 = "FillKernelContext: VirtualAddress: %p\n" | |
| $a44 = "_NalHasInterruptOccurred returning %s\n" | |
| $a45 = "NalResolveOsSpecificIoctl: FuctionId = %d\n" | |
| $a46 = "NalResolveOsSpecificIoctl: NAL_WIN_IS_ADAPTER_IN_USE_FUNCID FunctionData is NULL\n" | |
| $a47 = "NalResolveOsSpecificIoctl: NAL_WIN_ADAPTER_IN_USE_FUNCID FunctionData is NULL\n" | |
| $a48 = "NalResolveOsSpecificIoctl: NAL_WIN_DRIVER_GET_REF_COUNT_FUNCID FunctionData is NULL\n" | |
| $a49 = "NalResolveOsSpecificIoctl: NAL_WIN_OS_DEVICE_FUNCID FunctionData is NULL\n" | |
| $a50 = "NalResolveOsSpecificIoctl: NAL_WIN_FREE_DEV_CONTEXT_FUNCID FunctionData is NULL\n" | |
| $a51 = "NalResolveOsSpecificIoctl: NAL_WIN_ALLOC_DEV_CONTEXT_FUNCID FunctionData is NULL\n" | |
| $a52 = "NalResolveOsSpecificIoctl: NAL_WIN_GET_SYMBOLIC_NAME_FUNCID FunctionData is NULL\n" | |
| $a53 = "NalResolveOsSpecificIoctl: NAL_WIN_GET_PDO_POINTER_FUNCID FunctionData is NULL\n" | |
| $a54 = "NalOsSpecificIoctl: FunctionId = %d\n" | |
| $w0 = "\\DosDevices\\Nal" wide | |
| $w1 = "\\Device\\Nal" wide | |
| $w2 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\PnP Manager\\PnpManager" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {CBDFCAB105692CD733043088BF2B0BF6CC3D0698DD4A1DD4E3650B1FF86A6A1EA4776C92F4916564B3F1E2EEEC0E307FF3AE6AE22BF887A233A904486D6AF7EB93D0D75167E30389ADFD0C118A30C93143F253E3CB126C5F95500579AB9744004547CBE9394E4DB484194A3AA0D8D121CA92887D30911E5B68694D66EAE74926FBEE110E5E155F84D924F926B1A81C840D41E9FD8C8B59CFC16E1ED4C24734A1A6B4F3EC1AC3F383E2EDC995F4BD498259C3E99BE0412EA0E54D6CE2E98BFEBF05E10B355C51CACAD48322C6C98A371B18BF930C6AF0DAF4084694F50BBBF31F6431D9E70771B498FD731FC7B9933FD2885DE9F92C09037E07735600F1EF047F} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {998252AD8F327587F8ECD9D8A3303FE97D692B36F2931A32ADC19A171B8239982B6B3356306A13BC30A3E48F9F97C05E69B6448BE5BF126396314EF9BC0CF7F308BE39A3DD156426530EF5718022B16927A6E5CF69FE4C801EAA462D4FBE8BD17FC7C4DAF2013509A9D83DB7BEC1F4538B52D6974A9A6CF1AC6E067827E4DC016793C40BFFCC3124EA62278240948F75F46E16AE88856A635C2B31248CC6B95DDE2A7B456F0A8DB38B9B5FFC9C45E51861620586B6A07A36B216AD42059A54C02BFD5D708808B92EF905A3F059C013AB72B68DA05182CB9EE1C978962BACCB2B495AA5D33FCFD213E44DBC44E11BFAE27E04A74B2CDE3FEB22CF7CD96C30668F} | |
| $m1 = {A39C308409A7632ECF0A47F0EA24F9A330200F5E573126819A3107B250D4CE670908650A5AA54BAED5ED102EE7A599B59F682F988B5802AC20B429C471BD281CA5FD3C9B64E4C5EBDF6125BCF0EE68BFD1A7CB7E2A02814E645C0C53867957193761B798F90CA04E22599BF91B2D673C273C569066E3FD7F657D0F86BD3547E88ACCF4DA8EE96A4EABA755ECA2891ED5334553CBF99E77BDCD2CF905B87F74011DE8FB18E143D10DE9AADC376FBDFEB80FED1D4D01464E0AACFC82E8EC5683138E3A01ED146474EA64B26610B6686DC870007D50482E3D43EEE02495C6CD8EC7FDB8E495CFDD7EFB955EA101CD43B107D7A430EE9B861A2A6EC10B59A2746F8B} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_6" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_6" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSICEN" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSICEN" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\inpoutx64" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\inpoutx64" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {B41F285FC92D48A2FAFBAC405B11C70C8927B06D3F27C04DF8A8C8AD07AD839C7D13508EBD6D9AB61B0184370F6940FA17C6B51EA90844E8B0AB3F130382C61EBE56239A3E37B8D1BA00C694FF09C3361ECEBD0C47C265859F54915F748680076E105A2271F3358E5C9076E9641D8B36DD57B31B1999BC66AA0DFF69623BF017} | |
| $m4 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {E4060A27CBB70F309A41CFFB9ED787C959A391681EC69820AD8207B05474D546278A212BC5DEF19585F242F6608B7B02B075B5CEFE6BAA6E2EB907BD6FA8368F86125506FB5DC3E14AAA6136DD6B1C24E5F3B64D2CE8AC551062EF090FAD864698CE01B9003FE24FE54C1AD55BC872EA663225F66828BDC318537F981D0F558B} | |
| $m1 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m2 = {C30CB7120D4D688A33DE3605F03CBAF5DACD0E537B469F82F26213D7C177ADBB81377E4F1E9381C10622DA1D5084C6979592A993B63DAB867919547D0E16044CC488972CC6A1A85F153AD2642BCC3E0C7AE8A456B11EBBCF84CE8D353A349C6C2DC077B530A91F67E63A09443A437241A291C3469A1FB6B9A70FAF1C751B6425E7086C1447F5471ADE8EEAA263957DF5A8AD55A2649B726FB902733F398A395CC4FE8FFB119CBD10194963D043228BD6AB92997414CF3007BE4FBDFD8A8F9E5ADF6D3CCC5A995090B9ADC29743C25FEDCD333D87CCC1A05BA9623B787D64A3AC4D1F2BD703116C71548AB0ABB11CD67D23DB40073726DB50AF383DA607756F97} | |
| $m3 = {CDC23D5D7722D0C27D3832C315831F426A3B5366DD6A36440D69CF688D89459F7E2FEE423A337C3E00D3976AD85AD5C34D920A5F0650FDBF6CC403A28260D8ED522E1374DE97C645217B55F6EAB16403FC746BB25FC76C6C43148A241037499581D24812A5A2764950217FCA85730A3C5DB52EAD90AA5E4D32CB1793D97F96C0C0896556D9C5B13F981B27FA49EE1D1BCB068C301C3BC5A7705BA8AB185AFEC8F68EBF015D8F6198340F5851FFDF32EA54651C142B6CFC0C901967ED9BD9DA639BD65A24A3748E082300A192B51E0BD108A0667F921BA3ED806402498FB684EFD1558E5EA9975AC50802889456BF92EB2A2D063592B5373631ECC3FE7A3BC285} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_4" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_4" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {BE2794996C4B3FA39C28F8E6124A05A5316441DFE0F087D59DFBC11259F88F8067D69B9F6046EAF084B1629A2CA0BF2498A31B4F181D1E1E952E870944256088967CA045958D071E9C135E8DC1CDCB66B8B3C65A2AFD3003055D7DA2CDBE8A1EB7889518CF35891488B3E8A849CE2A195C7D3ABDFC5EA01035D675B1FCD9CA35} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {DB5C13D2723CE85E68470607D6540005C8DAD51C4A69EB5945C790D475E0BBF389854977BCA2EC396CB865B77B8D34C28EC8949CE78B14920A3A7DEB99E44FDD744F418A380A38D345CEA2AB79BFFC1B7ED0E45CF1D2F02847322025D1A8FD85EBB753878812CD1BA898A85E12A82AAF2CFEEEF00D09626687336432DB9ED81469E6150C0B0298A2B52F73507217B11B87192B0D12B94295EFF4752486585622541B176A329873A8371C0C03785B58D19AC84104AEED40B84F7277AFF20628B4A8C466F4C7905AA08B1812A5EF8C7F408A76F38B8210F980D21C5529564F9CA5B5444E0C2F97F82F147754340C99E71DEA4E82DB1F40486D9CAABE05640BDE1B} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\BS_RCIO" wide | |
| $m0 = {BCE9238C02E3369575D0B74EBBF849ACB31B770A449D3D3D8AF9AC9960342224409F55BBB3EF04C1B83E942270AFBFA85296A94E2B8EB536942CF1915741BB31DD3AEDEB14079B3A7E795EA13864D53B1D2B8509718CE83C0D15785EFB9AE173A8D231B40110D0CCC600EE33F012FC6339B7A0DF1000571729DD6F3064A0ECA13F5F55AFF5EB2A33CC80EF3C340749FC7AF033537F34E4B4281A177391B543F7A9249BB8A879F0F1ED11D3F118258B40DAD4EEE23C6CA7D30B2847BD8FCC3F89FAC64E14B10A526434AA273CD81AC54F0BEB75C691DF5353D7F1ED754E13D70AA6312443A9B965326F3177A4D0AFB027FA8485089FE026F3B5815CC3CB354777} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\" wide | |
| $w1 = "\\Device\\" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D2259A2DA863D118C9674774330961BF2081F8EA1BA2782818BD518180111A36D4B4DF5C5755AEC8C6D098B19ADFA241FF6BE83AEAE6F3DE4C2519A9796ABC43E74E6A643CADD2EAE5229ECA5B42434FC19BE01ED8A6B6C3FE767D1A62B69FEEEEFE6EE49E0A45C877C517C0D54EC2E6074034B337748AF044CB891E4E2E5CDCDF5888EB143D3834AF6AA1D13528B210B522E546AB0BBDF0A723CB3C386432B0C73E46261187AF42021456E0703B5A2E52663C5EE48A41B36659CB73DB90852CEDF48B920F206C648CF8FA4F15EB9BE42A0A6058B15D41A1A499C707D6F1B51241C78F943314212B22EAF4A3CA8DB6F80CE5981BCF74D04EDAFCC58E27A580FF} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| $m4 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $w1 = "\\DosDevices\\Asusgio" wide | |
| $w2 = "\\DosDevices\\Asusgio" wide | |
| $w3 = "\\Device\\Asusgio" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D230341C22141C55DBE3B5AD1B86BD0252E9AD3EA1E0B632961B925F4DBD74C7E2D7CEE8F8CB20B4D2CC021134397408C28CF916550555F516E00B5D382C569A3FEF1757AC8DD7CF1CF57E355054BC48FC251E4BAA8EF59E666319C2F537DE1BD36E2B2D67FC9C591AF77772304DBE392956DA2061D77BD916656903E01E0446E9A17D3571704223E5268EEF7302230ACB91AC667D6C598387B62A250289085BCAC88E73AE8D69C2A22AA5893CE9862596D12CB6F9444D2C845272D30620AF1EAC4B66531E8D95FF8CFF56093EA62D9A8AB82DC5C274B874F52DE4CFADA77D5BD9F086AD281BFA205F4326A97967D38292E75A55532228BBF4E7F86A6A7F88B3} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {A8C4965A3E0314A64D790E1D19A0F81490C76AEE19890050D137D715881526FC47A52FD4B711F6E1E4B0E79F04983501C1CBE57C7FC3671CBF8239267E37367D34B91003C1AF966801362ACD6CCB932EF949AB393F8FA6EFF3FEC7495F4AB44F559CE286F047B421439FE0E7F08FD5D71B4D77EA7ED1116E51CB949C15A021641303E3875C027FE77B7D668E9BBD933B6A389535A4E3551FA87F3C9BA22E13E19DFAD461E7922A096A16CE93CBB01CB4E5E3DECAAADEB5F0651717899A951DD65319C11EB8709907F8E35775EC1D79157D14DD0A627FEA76E274CAFF723ED304198B1C641FAA30ED0F885D48055153C07EB055FA6F39980695CAE36E546EA2AF} | |
| $m1 = {A39C308409A7632ECF0A47F0EA24F9A330200F5E573126819A3107B250D4CE670908650A5AA54BAED5ED102EE7A599B59F682F988B5802AC20B429C471BD281CA5FD3C9B64E4C5EBDF6125BCF0EE68BFD1A7CB7E2A02814E645C0C53867957193761B798F90CA04E22599BF91B2D673C273C569066E3FD7F657D0F86BD3547E88ACCF4DA8EE96A4EABA755ECA2891ED5334553CBF99E77BDCD2CF905B87F74011DE8FB18E143D10DE9AADC376FBDFEB80FED1D4D01464E0AACFC82E8EC5683138E3A01ED146474EA64B26610B6686DC870007D50482E3D43EEE02495C6CD8EC7FDB8E495CFDD7EFB955EA101CD43B107D7A430EE9B861A2A6EC10B59A2746F8B} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\AsrDrv106" wide | |
| $w1 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $w2 = ".Translated" wide | |
| $m0 = {CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C669858217} | |
| $m1 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| $m2 = {B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF} | |
| $m3 = {CB20EF971EB9013243A05BA98A23FD205EAE38128BCA2CD4FF41D81A55D41953B7FDA317E77A395CC0F7CE11A3F9A5ED01FAB5BA93EFAF93DCF8E2B3194C83B04A4450047884106AA4D696908E81F87CAB2FB5A35733D2587B940E6D0FA591262AB3834F72B18A7B6492D0F0B4555F960B11E59AB52CB211CF251B7D512B981F49A35FF8139E35B80302DAA4132F854AEFC42F700EC1D4CC3312ECBD4095D311CAE6CDB3059CC853EB52D7784C51019282DE13F3078E74BA84809FD2A4150EE8AFEBF789F6DF71F0D1BEA7B241332075CCB1D5ED1D0719C4EB2677F2AB6D179349A9B7E6C3909CC6B8ECCCC97B9A5EC5C52493636F7E108B61CF9855A324A28836F2F99FBE932EB2069F26C00C015612E1B28A9F0E1EDC988B2ECFDAE28934A61F26A0A8AE786DECA188153CC2EAEEB7D8AD61A5AF7036A2798EDC0D73C0F1E42CAB94EC5806393648D63B5AE822CE740EAF2CF115DAD1B495E8ACD5496DE5AFDD9B6B63205D8E7E3BB243D8623A94E5CDB498B3371924127273AB04B009DC85E6D42204EF402A1D2E6DC769D36EB7016C0DE097A716E6268B88F70344865F62674CB5A737A855DC03368C6ECF6D3626F10E8FB03D71C0E132A782E4B6320232307CB593C821FD3C88E66963F8EE75C98BC2ABEFBA3AFDE95EBFB611F1BEF03DCA323E6E7DDE0F7E9B95C41287E71AB84EEE2CC1DFA165E82483C92AC2FDB953} | |
| $m4 = {BE069B06306ACA4182592301CD237E297B1A4C5F43F20D0014268F3850387325807B8278481242ACDB0A11915FFDB4C2CCFA0E6ABB4507AF4C25E2F39285A668E463836C9A5A820257839906C8A7562A71C55EDCE8C2251F92606ED1D05A5BD91CB5B925FAE9CA4168066448CB9C251AD60F41AE3BD4194A854744F38C8B5205EDDC0348C8A3618BDB394F4FA1C72023FACD3A0778A07729E1BB50DAAE841C861844DA3272B51ADE7A9BC78ECEBFC941BAC6C99B4C7F044D41549C3BDB63E9B11E8559D4275888D8F5ED545EED053D5DD71F821D8F4424DE0022574A8625913B416C616120B1993483C06A368E3AB0821EF3F5DF24D028899854932D56C171F2E5D9A671A86CB05E714F0935723103DA01A9A7051071DE74B4A462FE48E8FAD8450BE6E22C70DC965564C0F77D9E36F84EF81392847F1E4652506276FB82FE863CF55B25C4D9392A366CEBC799B774B5F3643C9AB11DB5935039BC66F9EF6D771DBAFC10EB47F5DC384AF3A9FFBD802C4E8FB43A6A1D33D19F9A0C5041F420CD8AE688A4794804C0D5A1CBD6D0915CD873DB231256B060F0052918EFBCB4CFFF9E6E07E3B03EA60880BFA43D2BA6596FFB5F9A0EBEB8C58465EE07D70B02AEB351738461A0E1E02113C32F8D5EFDE80521017E008BCB1BA985E83D39DB3B079CE8EDCF01B201AF1D7E192C376616D92B67ABB1B7B4FE5842F9E2BA73A80F559B} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $w1 = "\\DosDevices\\Asusgio" wide | |
| $w2 = "\\DosDevices\\Asusgio" wide | |
| $w3 = "\\Device\\Asusgio" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EC94053FCF73BC5C7F19B12B49D2532360E1EAD7B47BD3785AF118ACADB05C7B890DA71CF48AE739AC2D5D797D5893048B7FD7ECF7CCFD22249954A1F227429C44FE6687EEB51F3E5D64490E42B3DEDE3CEAB98B38BF3EB735606281CF56DB43FC4779CDCF86D556E9F142FEC9ACF299E22732C140253CEEE705A59CFED571AF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Unknown" | |
| $a1 = "IOCTL_NT_KEEP_AWARD_DMI (Offset=%x , Size=%x)" | |
| $a2 = "Phoenix - Award" | |
| $a3 = "Phoenix-Award" | |
| $w0 = "\\DosDevices\\BS_Def" wide | |
| $w1 = "\\Device\\BS_Def" wide | |
| $w2 = "\\DosDevices\\BS_Def" wide | |
| $w3 = "\\Device\\PhysicalMemory" wide | |
| $w4 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {A12E19AC5DBA00553B090B9CC105805B17736BB9031167C15CD22498D617B97E234A2A556FD78F6ACECE16EAECF728404AE3DFE5E5E08F77EC1F4AE09F96A65329FD871B2FE68CB35E8B15D2D9D30C54E561B393667CA2E8FA1B6C0894A4A2200DDDFD067B532CDCE0246CFBE440336570BE365C97623E99619A3313916B536B} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_9" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_9" wide | |
| $m0 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m1 = {BE2794996C4B3FA39C28F8E6124A05A5316441DFE0F087D59DFBC11259F88F8067D69B9F6046EAF084B1629A2CA0BF2498A31B4F181D1E1E952E870944256088967CA045958D071E9C135E8DC1CDCB66B8B3C65A2AFD3003055D7DA2CDBE8A1EB7889518CF35891488B3E8A849CE2A195C7D3ABDFC5EA01035D675B1FCD9CA35} | |
| $m2 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m3 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\driveragent%d" wide | |
| $w1 = "\\DosDevices\\driveragent%d" wide | |
| $w2 = "\\BaseNamedObjects\\HW64IrqEvent%d" wide | |
| $w3 = "\\BaseNamedObjects\\HW64KbdEvent%d" wide | |
| $w4 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {C14EEDEE2C42EDA103E27058C7817E0D9D9E23689CB88A33651975CBF6EA08B4EBA980034D9B7CF779FA438FE6958751A6234493A8050ABC25CD0F6887CA8606C50D55FEC5BAD4639C8B3AD6E30094E660A88193E0C916ED524A30C38759A3344A487CE9F3021EBA65BA451A9704C3615D98D2988452B4ACC3151C257C3DAB210B1F49BDD013C8DB67AF519AB687191ECBB19F469AE7B22E72FE99E852D4D9CD6BE8AFBAC5B1D964EC898CFA3F8519D50D3CF3402FACE591C883E89B924205A3FD31DDE3FB36B837B2278E765A01F39BBD45B9E7226AE6FD7F5985F9588F749A690586919C491A4619F29BEA09C18D727A8A3E53B02A6DF70EDE4E9C3B7AA311} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MB" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MB" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\driveragent%d" wide | |
| $w1 = "\\DosDevices\\driveragent%d" wide | |
| $w2 = "\\BaseNamedObjects\\HW64IrqEvent%d" wide | |
| $w3 = "\\BaseNamedObjects\\HW64KbdEvent%d" wide | |
| $w4 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {C14EEDEE2C42EDA103E27058C7817E0D9D9E23689CB88A33651975CBF6EA08B4EBA980034D9B7CF779FA438FE6958751A6234493A8050ABC25CD0F6887CA8606C50D55FEC5BAD4639C8B3AD6E30094E660A88193E0C916ED524A30C38759A3344A487CE9F3021EBA65BA451A9704C3615D98D2988452B4ACC3151C257C3DAB210B1F49BDD013C8DB67AF519AB687191ECBB19F469AE7B22E72FE99E852D4D9CD6BE8AFBAC5B1D964EC898CFA3F8519D50D3CF3402FACE591C883E89B924205A3FD31DDE3FB36B837B2278E765A01F39BBD45B9E7226AE6FD7F5985F9588F749A690586919C491A4619F29BEA09C18D727A8A3E53B02A6DF70EDE4E9C3B7AA311} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Irp->CurrentLocation <= Irp->StackCount + 1" | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D58656C0DEA2D94363A3893FDAF950275A4196ACE8DD8745DE1279CD6A644C13F0AC6875FC911961493877176B4C88A9CB97EA48903E5D3C9969C8A684BD106FD2E111C4D8C5CE5B0CC7234F3F65E12562B41C46B38B4C1743144AAF0C4E1A33F2B275A95F8B442E40F56655E32074C24C0726D720F675AB79D7E5049B823719} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "_DirectKmCallUmCommPort(): Client port not initialized.\n" | |
| $a1 = "_DirectKmCallUmCommPort(): CommPort not ready.\n" | |
| $a2 = "source\\CommPortKm.cpp" | |
| $a3 = "_DirectKmCallUmCommPort(): No memory, silent event.\n" | |
| $a4 = "_DirectKmCallUmCommPort: pShareMemBlk is NULL!\n" | |
| $a5 = "_DirectKmCallUmCommPort: ObOpenObjectByPointer() failed. status: 0x%x\n" | |
| $a6 = "_DirectKmCallUmCommPort: ObOpenObjectByPointer() done, but invalid handle value.\n" | |
| $a7 = "_DirectKmCallUmCommPort: ZwAllocateVirtualMemory() failed. status: 0x%x\n" | |
| $a8 = "_DirectKmCallUmCommPort: ZwAllocateVirtualMemory() succeeded, but size of returned memory too small.\n" | |
| $a9 = "_DirectKmCallUmCommPort: ZwAllocateVirtualMemory() returns base address: 0x%x Size:%u\n" | |
| $a10 = "_DirectKmCallUmCommPort: ProbeForWrite() throws exception.\n" | |
| $a11 = "_DirectKmCallUmCommPort: ZwFreeVirtualMemory() failed.\n" | |
| $a12 = "_DirectKmCallUmCommPort(): Sending command KM to UM time out.\n" | |
| $a13 = "_DirectKmCallUmCommPort(): Sending Command KM to UM failed. status: 0x%x" | |
| $a14 = "_DirectKmCallUmCommPort: ZwClose() failed.\n" | |
| $a15 = "Unmap user view port memory success.\n" | |
| $a16 = "Unmap base user view port memory fail.\n" | |
| $a17 = "Unmap kernel view port memory success.\n" | |
| $a18 = "Unmap base kernel view port memory fail.\n" | |
| $a19 = "TmFltMessageNotify(): Invalid input buffer" | |
| $a20 = "TmFltMessageNotify(): Exception when reading input(%u)" | |
| $a21 = "TmFltMessageNotify(): Invalid command" | |
| $a22 = "TmFltMessageNotify(): Invalid output buffer" | |
| $a23 = "TmFltMessageNotify(): Mdl allocation failed" | |
| $a24 = "TmFltMessageNotify(): Exception when memory locking(%u)" | |
| $a25 = "TmFltMessageNotify(): Mdl map failed" | |
| $a26 = "TmFltMessageNotify(): Exception when set ReturnOutputBufferLength(%u)" | |
| $a27 = "_InitCommPortKmManagementRoutine begin ...\n" | |
| $a28 = "BuildDefaultSecurityDescriptor failed. status: %x" | |
| $a29 = "Open Km init event failed. error: %x, handle: %x" | |
| $a30 = "FltBuildDefaultSecurityDescriptor failed. status: 0x%x\n" | |
| $a31 = "Kernel mode Port calculation failed.\n" | |
| $a32 = "FltCreateCommunicationPort failed. status: 0x%x\n" | |
| $a33 = "Create Communication Port successfully.\n" | |
| $a34 = "Client Connect Event wait timeout!\n" | |
| $a35 = "Client Connect Event wait fail. status: 0x%x\n" | |
| $a36 = "InitCommPortKmManagementRoutine: ZwCreateSection failed.\n" | |
| $a37 = "InitCommPortKmManagementRoutine: ZwMapViewOfSection(kernel) failed.\n" | |
| $a38 = "InitCommPortKmManagementRoutine: ZwOpenSection failed.\n" | |
| $a39 = "InitCommPortKmManagementRoutine: ZwMapViewOfSection(user) failed.\n" | |
| $a40 = "Connect to User Manager Port successfully!\n" | |
| $a41 = "_g_CommPortKmState.KmViewPortMemory = %x\n" | |
| $a42 = "_g_CommPortKmState.UserViewPortMemory = %x\n" | |
| $a43 = "CShareMemMgr::CreateInstance()->Initialize failed! status: 0x%x\n" | |
| $a44 = "_InitCommPortKmManagementRoutine Succeed.\n" | |
| $a45 = "_DeInitCommPortKmManagementRoutine ...\n" | |
| $a46 = "KmBackupCommPortSetAPIs ...\n" | |
| $a47 = "source\\configmanages.cpp" | |
| $a48 = "source\\context.cpp" | |
| $a49 = "source\\LPCKm.cpp" | |
| $a50 = "***DirectKmCallUmLPC: pShareMemBlk is NULL!" | |
| $a51 = "***DirectKmCallUmLPC: ObOpenObjectByPointer() failed 0x%x\n" | |
| $a52 = "***DirectKmCallUmLPC: ObOpenObjectByPointer() done but invalid handle value\n" | |
| $a53 = "***DirectKmCallUmLPC: ZwAllocateVirtualMemory() failed 0x%x\n" | |
| $a54 = "***DirectKmCallUmLPC: ZwAllocateVirtualMemory() success but the size of returned memory is too small to use\n" | |
| $a55 = "***DirectKmCallUmLPC: ProbeForWrite() throw exception\n" | |
| $a56 = "***DirectKmCallUmLPC(): Sending Command KM to UM failed 0x%x" | |
| $a57 = "***BuildDefaultSecurityDescriptor failed!, %x" | |
| $a58 = "***Open Um init event failed, error = %x, handle=%x" | |
| $a59 = "***Waiting for User Init Event failed ,%x, handle = %x" | |
| $a60 = "*** Create Memory Section for Um port failed: %x" | |
| $a61 = "Kernel mode LPC Port calculation failed!\n" | |
| $a62 = "*** Connect to User Manager Port failed, error = %x" | |
| $a63 = "BCryptOpenAlgorithmProvider" | |
| $a64 = "BCryptCloseAlgorithmProvider" | |
| $a65 = "BCryptGetProperty" | |
| $a66 = "BCryptSetProperty" | |
| $a67 = "BCryptGenRandom" | |
| $a68 = "BCryptGenerateSymmetricKey" | |
| $a69 = "BCryptExportKey" | |
| $a70 = "BCryptImportKey" | |
| $a71 = "BCryptEncrypt" | |
| $a72 = "BCryptDestroyKey" | |
| $a73 = "BCryptCreateHash" | |
| $a74 = "BCryptFinishHash" | |
| $a75 = "BCryptGenerateKeyPair" | |
| $a76 = "BCryptFinalizeKeyPair" | |
| $a77 = "BCryptDestroyHash" | |
| $a78 = "BCryptImportKeyPair" | |
| $a79 = "BCryptVerifySignature" | |
| $a80 = "TmCommAttachTmActMonClientProcess( %x )\n" | |
| $a81 = "TmCommDetachTmActMonClientProcess( %x )\n" | |
| $a82 = ">>> CFG-RemoveEP(%03x, %08x)=%#x\n" | |
| $a83 = ">>> CFG-RemoveEPEventType(%03x, %08x)=%#x\n" | |
| $a84 = ">>> CFG-RemoveAllEP()\n" | |
| $a85 = ">>> CFG-TmCommQueryProcessImageFileNameByEPROCESS(%p, %wZ)=%#x\n" | |
| $a86 = ">>> CFG-TmCommQueryProcessImageFileNameFromEPROCESS(%p, %s)=%#x\n" | |
| $a87 = ">>> CFG-AddExclusionList(), Id = %x, status = %#x\n" | |
| $a88 = ">>> CFG-AddInclusionList(), Id = %x, status = %#x\n" | |
| $a89 = " Err-TmCfg, Code %x, Handler %x" | |
| $a90 = "source\\TmCommHelperKm.cpp" | |
| $a91 = ">>> CShareMemMgr::Initialize()" | |
| $a92 = "<<< CShareMemMgr::Initialize()" | |
| $a93 = "CShareMemMgr::Initialize : %x\n" | |
| $a94 = ">>> CShareMemMgr::DeInitialize()" | |
| $a95 = "<<< CShareMemMgr::DeInitialize()" | |
| $a96 = "***CShareMemMgr Semaphore count = 0" | |
| $a97 = "CShareMemMgr::FreeMemoryBlock : %x\n" | |
| $a98 = "***InitWellKnownSIDs(), SIDs allocate failed!" | |
| $a99 = "***BuildDefaultSecurityDescriptor(), ACL allocates failed!" | |
| $a100 = "***BuildDefaultSecurityDescriptor(), SD allocates failed!" | |
| $a101 = "***BuildDefaultSecurityDescriptor(): Creating Dacl failed 0x%lx" | |
| $a102 = "***BuildDefaultSecurityDescriptor(): Add System access failed 0x%lx" | |
| $a103 = "***BuildDefaultSecurityDescriptor(): Add Administrators access failed 0x%lx" | |
| $a104 = "***BuildDefaultSecurityDescriptor(): Create SD failed 0x%lx" | |
| $a105 = "***BuildDefaultSecurityDescriptor(): Set SD DACL failed 0x%lx" | |
| $a106 = "Invalid buffer for IOCTL code 0x%x" | |
| $a107 = " pfIoCtlHandler, Code %x, ErrCode %x" | |
| $a108 = " Err-DICCDisp, Code %x, Handler %x" | |
| $a109 = " >>> IoControlFindFirstFile" | |
| $a110 = " <<< IoControlFindFirstFile" | |
| $a111 = " >>> IoControlFindFirstFileIRP" | |
| $a112 = " <<< IoControlFindFirstFileIRP" | |
| $a113 = " >>> IoControlFindNextFile" | |
| $a114 = " <<< IoControlFindNextFile" | |
| $a115 = " >>> IoControlFindNextFileIRP" | |
| $a116 = " <<< IoControlFindNextFileIRP" | |
| $a117 = " >>> IoControlFindCloseFile" | |
| $a118 = " <<< IoControlFindCloseFile" | |
| $a119 = " >>> IoControlCreateFile" | |
| $a120 = " <<< IoControlCreateFile" | |
| $a121 = " >>> IoControlCreateFileOplock" | |
| $a122 = " <<< IoControlCreateFileOplock" | |
| $a123 = " >>> IoControlCreateFileIRP" | |
| $a124 = " <<< IoControlCreateFileIRP" | |
| $a125 = " >>> IoControlDeleteFileIRP" | |
| $a126 = " <<< IoControlDeleteFileIRP" | |
| $a127 = " >>> IoControlQueryExclusiveHandle" | |
| $a128 = " <<< IoControlQueryExclusiveHandle" | |
| $a129 = " >>> IoControlCloseExclusiveHandle" | |
| $a130 = " <<< IoControlCloseExclusiveHandle" | |
| $a131 = " >>> IoControlGetFileSizeIRP" | |
| $a132 = " <<< IoControlGetFileSizeIRP" | |
| $a133 = " >>> IoControlSetFilePosIRP" | |
| $a134 = " <<< IoControlSetFilePosIRP" | |
| $a135 = " >>> IoControlReadFileIRPNoCache" | |
| $a136 = " <<< IoControlReadFileIRPNoCache" | |
| $a137 = " >>> IoControlQueryFile" | |
| $a138 = " <<< IoControlQueryFile" | |
| $a139 = " >>> IoControlSetInformationFile" | |
| $a140 = " <<< IoControlSetInformationFile" | |
| $a141 = " >>> IoControlGetFileSecurity" | |
| $a142 = " <<< IoControlGetFileSecurity" | |
| $a143 = " >>> IoControlSetFileSecurity" | |
| $a144 = " <<< IoControlSetFileSecurity" | |
| $a145 = " >>> IoControlReadFile" | |
| $a146 = " <<< IoControlReadFile" | |
| $a147 = " >>> IoControlUpdateCoreList" | |
| $a148 = " <<< IoControlUpdateCoreList" | |
| $a149 = " >>> IoControlGetDRxMapTable" | |
| $a150 = " <<< IoControlGetDRxMapTable" | |
| $a151 = " >>> IoControlCreateRegKey" | |
| $a152 = " <<< IoControlCreateRegKey" | |
| $a153 = " >>> IoControlOpenRegKey reference count=%d" | |
| $a154 = " <<< IoControlOpenRegKey reference count=%d" | |
| $a155 = " >>> IoControlCloseRegKey" | |
| $a156 = " <<< IoControlCloseRegKey" | |
| $a157 = " >>> IoControlEnumRegKey" | |
| $a158 = " <<< IoControlEnumRegKey" | |
| $a159 = " >>> IoControlEnumRegKeyValue" | |
| $a160 = " <<< IoControlEnumRegKeyValue" | |
| $a161 = " >>> IoControlQueryRegKeyValue" | |
| $a162 = " <<< IoControlQueryRegKeyValue" | |
| $a163 = " >>> IoControlDeleteRegKey" | |
| $a164 = " <<< IoControlDeleteRegKey" | |
| $a165 = " >>> IoControlDeleteRegKeyValue" | |
| $a166 = " <<< IoControlDeleteRegKeyValue" | |
| $a167 = " >>> IoControlSaveRegKey" | |
| $a168 = " <<< IoControlSaveRegKey" | |
| $a169 = " >>> IoControlSetRegKeyValue" | |
| $a170 = " <<< IoControlSetRegKeyValue" | |
| $a171 = " >>> IoControlQueryRegInfoKey" | |
| $a172 = " <<< IoControlQueryRegInfoKey" | |
| $a173 = " >>> IoControlTerminateProcess" | |
| $a174 = " <<< IoControlTerminateProcess" | |
| $a175 = " >>> IoControlOpenProcess" | |
| $a176 = " <<< IoControlOpenProcess" | |
| $a177 = " >>> IoControlOpenProcessLite" | |
| $a178 = " <<< IoControlOpenProcessLite" | |
| $a179 = " >>> IoControlNormalizeFullNtPathToDosNameW" | |
| $a180 = " <<< IoControlNormalizeFullNtPathToDosNameW" | |
| $a181 = " >>> IoControlGetTrueAPIPointer reference count=%d" | |
| $a182 = " <<< IoControlGetTrueAPIPointer reference count=%d" | |
| $a183 = " >>> IoControlGetUtilityAPIPointer reference count=%d" | |
| $a184 = " <<< IoControlGetUtilityAPIPointer reference count=%d" | |
| $a185 = " >>> IoControlRegisterUnloadNotify pointer addr[%p]" | |
| $a186 = " <<< IoControlRegisterUnloadNotify result[%x]" | |
| $a187 = " >>> IoControlUnRegisterUnloadNotify pointer addr[%p]" | |
| $a188 = " <<< IoControlUnRegisterUnloadNotify result[%x]" | |
| $a189 = " >>> IoELAMWriteRawData pointer addr[%p]" | |
| $a190 = " <<< IoELAMWriteRawData result[%x]" | |
| $a191 = " >>> IoELAMWriteStatus pointer addr[%p]" | |
| $a192 = " <<< IoELAMWriteStatus result[%x]" | |
| $a193 = " >>> TMRSCheckDeviceStackIntegrity" | |
| $a194 = " <<< TMRSCheckDeviceStackIntegrity" | |
| $a195 = " >>> TMRSIoTryToStopTmcomm reference count=%d" | |
| $a196 = "TMRSIoTryToStopTmcomm don't work. gIsDeviceReady==%d " | |
| $a197 = "TMRSIoTryToStopTmcomm don't work. gIsLoadUnloadEventReady==%d g_pLoadedEvent=0x%x ,g_pUnloadedEvent=0x%x " | |
| $a198 = "TMRSIoTryToStopTmcomm. Set Unload Event=TRUE. pKevnt=0x%x" | |
| $a199 = "TMRSIoTryToStopTmcomm KeSetEvent gUnloadedEvent Fail Ret=0x%x" | |
| $a200 = "TMRSIoTryToStopTmcomm Device reference count=%d" | |
| $a201 = "KeDelayExecutionThread Ret=0x%x" | |
| $a202 = "TMRSIoTryToStopTmcomm. Set Unload Event=TRUE again. pKevnt=0x%x" | |
| $a203 = "Tmcomm waits ref==2 5mins. It expires so TMRSIoTryToStopTmcomm return error." | |
| $a204 = "<<< TMRSIoTryToStopTmcomm reference count=%d" | |
| $a205 = " >>> TMXMSCheckSystemRoutine" | |
| $a206 = " <<< TMXMSCheckSystemRoutine" | |
| $a207 = " >>> TMXMSCheckSystemFileIO" | |
| $a208 = " <<< TMXMSCheckSystemFileIO" | |
| $a209 = " >>> TMXMSCheckSpecialSystemHooking" | |
| $a210 = " <<< TMXMSCheckSpecialSystemHooking" | |
| $a211 = " >>> TMXMSCheckGeneralSystemHooking" | |
| $a212 = " <<< TMXMSCheckGeneralSystemHooking" | |
| $a213 = " >>> TMXMSCheckSystemObjectByName" | |
| $a214 = " <<< TMXMSCheckSystemObjectByName" | |
| $a215 = "UpdateNtfsFlag:: Ntfs Disabled " | |
| $a216 = "UpdateNtfsFlag:: Ntfs Enabled " | |
| $a217 = " Skip decrement ReferenceCount" | |
| $a218 = " _freeLoadUnloadEvent fail Ret=0x%x" | |
| $a219 = " CZwTrueAPI::Instance()->InitNtfs() fail " | |
| $a220 = " CZwTrueAPI::Instance()->InitTrueAPI() fail " | |
| $a221 = " CXrayAPI::Instance()->Initialize() fail " | |
| $a222 = "Tmcomm goto stop because driver config " | |
| $a223 = "source\\tmcomm_x64.cpp" | |
| $a224 = " Xray instance fail " | |
| $a225 = "Alloc g_ObjDelayLoadThread fail " | |
| $a226 = "IoCreateDeviceSecure fail" | |
| $a227 = " IoCreateSymbolicLink fail " | |
| $a228 = "TmKernelVersion::Instance() return NULL\n" | |
| $a229 = "TmKernelVersion::Instance()->Init() fail\n" | |
| $a230 = "InternalAPI::Instance() return NULL\n" | |
| $a231 = "InternalAPI::Instance()->Init() fail\n" | |
| $a232 = " gAutoUpdateConfigThread fail " | |
| $a233 = " CWorkerThreadPool::Instance()->CreatePool() fail " | |
| $a234 = " g_WorkerThread.CreatePool() fail " | |
| $a235 = " g_RcmWorkerThread.CreatePool() fail " | |
| $a236 = " g_LogWorkerThread.CreatePool() fail " | |
| $a237 = "DriverEntry: Bypass volume device normalize enabled" | |
| $a238 = ">>_initialLoadUnloadEvent" | |
| $a239 = "tmcomm unload Evnet Name=%ws" | |
| $a240 = "ObReferenceObjectByHandle LoadEvent fail. Status=0x%x" | |
| $a241 = "ObReferenceObjectByHandle UnLoadEvent fail. Status=0x%x" | |
| $a242 = "Start waiting 1 secs." | |
| $a243 = "try to Set unload Event=FALSE kEvent=0x%x" | |
| $a244 = "create load/unload event fail. Load=0x%x Unload=0x%x" | |
| $a245 = "Set unload Event=FALSE h=0x%x" | |
| $a246 = "<<_initialLoadUnloadEvent gIsLoadUnloadEventReady=%d" | |
| $a247 = ">>_freeLoadUnloadEvent() gIsLoadUnloadEventReady=%d" | |
| $a248 = "TMRSIoTryToStopTmcomm Device reference count=%d break" | |
| $a249 = "TMRSIoTryToStopTmcomm Device reference count=%d Sleep 5secs" | |
| $a250 = "Tmcomm unload by (net stop) and some module is using tmcomm. We wait for 2 mins. So we force terminate." | |
| $a251 = "No client request export trueAPI." | |
| $a252 = "Set Unload Event=FALSE h=0x%x" | |
| $a253 = "<<_freeLoadUnloadEvent() don't work gIsLoadUnloadEventReady==FALSE" | |
| $a254 = "<<_freeLoadUnloadEvent()" | |
| $a255 = "source\\tmdelayloadthread.cpp" | |
| $a256 = "source\\tmexclusionlist.cpp" | |
| $a257 = "source\\tmexclusionprocess.cpp" | |
| $a258 = "source\\tmfile.cpp" | |
| $a259 = "[InclusionList] SetPath Ret=%d" | |
| $a260 = "[InclusionList] SetFolder Ret=%d" | |
| $a261 = "[InclusionList] SetExt Ret=%d" | |
| $a262 = "[InclusionList] SetName Ret=%d" | |
| $a263 = "[InclusionList] ResetPath" | |
| $a264 = "[InclusionList] ResetFolder" | |
| $a265 = "[InclusionList] ResetExt" | |
| $a266 = "[InclusionList] ResetName" | |
| $a267 = "source\\tminclusionlist.cpp" | |
| $a268 = "source\\TmInternalAPI.cpp" | |
| $a269 = "[BackTrace]: Previous mode == kernel mode\n" | |
| $a270 = "source\\TmKernelVersion.cpp" | |
| $a271 = "source\\tmlist.cpp" | |
| $a272 = "*** Failed to insert list. List full ." | |
| $a273 = "*** Failed to insert. List full . \n" | |
| $a274 = "*** Failed to insert list. should delet it ." | |
| $a275 = "*** Failed to insert.should delet it . \n" | |
| $a276 = "Unknown" | |
| $a277 = "source\\tmlog.cpp" | |
| $a278 = "source\\TmLPCUtil.cpp" | |
| $a279 = "FileHandler.Create fail. Status = %i" | |
| $a280 = "ModLoadDLLToBufferWithImageSize() fail. Status = %i" | |
| $a281 = "FileHandler.CreateWIRP() Success" | |
| $a282 = "source\\tmmodinfo_x64.cpp" | |
| $a283 = "source\\TmReparsePoint.cpp" | |
| $a284 = "Invalid NT volume" | |
| $a285 = "Invalid file name prefix" | |
| $a286 = "Invalid volume DOS name" | |
| $a287 = "Invalid reparse volume" | |
| $a288 = "%s remove DosName: %wZ, Reparse:%wZ" | |
| $a289 = "Invalid file name" | |
| $a290 = "Invalid reparse point" | |
| $a291 = "source\\tmrsscan_x64.cpp" | |
| $a292 = "CProcessSnapshot::TakeSingleSnapshot>> TMRS_PROCESS_NTDLLAPI" | |
| $a293 = "SystemInformationAPI" | |
| $a294 = "CProcessSnapshot::TakeSingleSnapshot>> TMRS_PROCESS_HANDLEINFO" | |
| $a295 = "TraverseHandleTable" | |
| $a296 = "TrueSystemInformationAPI" | |
| $a297 = "TotalProcess %ld for %s" | |
| $a298 = "EPROC=%p ParentId %p, ProcessId %p-%s %wZ" | |
| $a299 = "EProcess 0x%p is still in creation! Skip this process!\n" | |
| $a300 = "Method %s::Insert - Invalid EProcess 0x%p" | |
| $a301 = "Method VM Insert EPROC=0x%p hProcessId=%d hParentProcessId=%d " | |
| $a302 = "Method %s::Insert - Invalid PID %x" | |
| $a303 = "[ERROR]InsertDriverEx FAIL. tmiDriver=0x%x, BaseAddr=0x%x" | |
| $a304 = "(%x)[SKIP]InsertDriverEx tmiDriver=0x%x, BaseAddr=0x%x Name=%ws\n" | |
| $a305 = "************************ Hidden Driver ***********************\n" | |
| $a306 = "Driver Flag %x, TimeStamp %x, Base %p-(%ws-%ws)" | |
| $a307 = "DriverObject Directory" | |
| $a308 = "ModuleInformation" | |
| $a309 = "[%d][%s]=> Status=0x%x, OrgAddr=0x%x ,CurrentAddr=0x%x" | |
| $a310 = " >>> CheckDeviceStackIntegrity() : Error!" | |
| $a311 = " Err-_SysThreadCreateSnapshot, Code %x " | |
| $a312 = " address is not 4 bit alignment 0x%x !" | |
| $a313 = "PointerCount invalid 0x%x !" | |
| $a314 = "HandleCount invalid 0x%x !" | |
| $a315 = " Backward _TMRSProcessListByEprocVM() listHead=0x%x, g_ulWorksetOffsetFromEPROC=0x%x " | |
| $a316 = " Backward _TMRSProcessListByEprocVM() MmIsAddressValid Fail => listEntry=0x%x Process=0x%x " | |
| $a317 = "(Backward) Invalid EPROCESS: 0x%p, PID: 0x%x, PPID: 0x%x, OBJ_TYPE: 0x%x (0x%x)\n" | |
| $a318 = " address is not align in Eprocess(0x%p) skip this eprocess\n" | |
| $a319 = " PID is too large in Eprocess(0x%p) skip this eprocess\n" | |
| $a320 = " Pointer or handle count is invalid in Eprocess(0x%p) skip this eprocess\n" | |
| $a321 = " Backward _TMRSProcessListByEprocVM() MmIsAddressValid Fail => Process=0x%p " | |
| $a322 = " Forward _TMRSProcessListByEprocVM() listHead=0x%x, g_ulWorksetOffsetFromEPROC=0x%x " | |
| $a323 = " Forward _TMRSProcessListByEprocVM() MmIsAddressValid Fail => listEntry=0x%x Process=0x%x " | |
| $a324 = "(Forward) Invalid EPROCESS: 0x%p, PID: 0x%x, PPID: 0x%x, OBJ_TYPE: 0x%x (0x%x)\n" | |
| $a325 = " Pointer count is invalid in Eprocess(0x%p) skip this eprocess\n" | |
| $a326 = " Forward _TMRSProcessListByEprocVM() MmIsAddressValid Fail => Process=0x%p " | |
| $a327 = "\ntmcomm run on target: %d.%d.%d Sp(%d)\n" | |
| $a328 = "Driver Config support this OS build " | |
| $a329 = ">>> Exception, Not a list %p \n" | |
| $a330 = "Exception finding g_ulThreadListEntry, invalid LIST_ENTRY \n" | |
| $a331 = "Exception finding g_ulThreadListEntry \n" | |
| $a332 = " In unsupported platform, someone try to set previous mode " | |
| $a333 = "_TMRSThreadListByEprocess>> Process 0x%x Not Found!" | |
| $a334 = " Forward _TMRSThreadListByEprocess() MmIsAddressValid Fail => ETHREAD=0x%x " | |
| $a335 = "g_NTTimeDateStamp: %d " | |
| $a336 = "Driver is running in compatible mode" | |
| $a337 = "Driver Config decrypt error" | |
| $a338 = "Driver Config checksum error" | |
| $a339 = "Driver Config signature error" | |
| $a340 = "Driver hardcode g_ulPIDFromHandleTable: %d" | |
| $a341 = "Driver hardcode g_ulHandleTableListOffset: %d" | |
| $a342 = "Driver hardcode g_ulPreviuosModeOffsetFromThread: %d" | |
| $a343 = "Driver hardcode g_ulThreadListEntry: %d" | |
| $a344 = "Driver hardcode g_ulPIDOffsetFromEproc: %d" | |
| $a345 = "Driver hardcode g_ulSectionObjectAddressOffsetFromEproc: %d" | |
| $a346 = "Driver hardcode g_ulSectionBaseAddressOffsetFromEproc: %d" | |
| $a347 = "Driver hardcode g_ulParentPIDOffsetFromEproc: %d" | |
| $a348 = "Driver hardcode g_ulHandleTableOffsetFromEproc: %d" | |
| $a349 = "Driver hardcode g_ulThreadListHead: %d" | |
| $a350 = "Driver hardcode g_ulVMOffsetFromEPROC: %d" | |
| $a351 = "Driver hardcode g_ulWorksetOffsetFromEPROC: %d" | |
| $a352 = "Driver hardcode g_ulServiceNameOffsetInDevNode: %d" | |
| $a353 = "Driver hardcode g_ulPhysicalDeviceObjectOffsetInDevNode: %d" | |
| $a354 = "Driver hardcode g_Windows: %d" | |
| $a355 = "Driver Config support this OS build %d %d %d %d, entity version: %d, size: %d" | |
| $a356 = "Driver Config g_ulPIDFromHandleTable: %d" | |
| $a357 = "Driver Config g_ulHandleTableListOffset: %d" | |
| $a358 = "Driver Config g_ulPreviuosModeOffsetFromThread: %d" | |
| $a359 = "Driver Config g_ulThreadListEntry: %d" | |
| $a360 = "Driver Config g_ulPIDOffsetFromEproc: %d" | |
| $a361 = "Driver Config g_ulSectionObjectAddressOffsetFromEproc: %d" | |
| $a362 = "Driver Config g_ulSectionBaseAddressOffsetFromEproc: %d" | |
| $a363 = "Driver Config g_ulParentPIDOffsetFromEproc: %d" | |
| $a364 = "Driver Config g_ulHandleTableOffsetFromEproc: %d" | |
| $a365 = "Driver Config g_ulThreadListHead: %d" | |
| $a366 = "Driver Config g_ulVMOffsetFromEPROC: %d" | |
| $a367 = "Driver Config g_ulWorksetOffsetFromEPROC: %d" | |
| $a368 = "Driver Config g_ulServiceNameOffsetInDevNode: %d" | |
| $a369 = "Driver Config g_ulPhysicalDeviceObjectOffsetInDevNode: %d" | |
| $a370 = "Driver Config g_Windows: %d" | |
| $a371 = "source\\tmthreadbitmap.cpp" | |
| $a372 = " CThreadIdBitMap::IsProcessing() MmIsAddressValid Fail =>m_pThreadLogArray + ulByteIndex is invalid " | |
| $a373 = "source\\tmthreadpool.cpp" | |
| $a374 = "source\\tmtrueapi.cpp" | |
| $a375 = ">> CZwTrueAPI::tapiQueryInformationFile " | |
| $a376 = "tapiQueryInformationFile: tapiZwQueryInformationFile Ret=0x%x handle=0x%x" | |
| $a377 = ">> CZwTrueAPI::tapiSetInformationFile " | |
| $a378 = "tapiSetInformationFile: tapiSetInformationFile Ret=0x%x handle=0x%x" | |
| $a379 = "Read again, reason: %x" | |
| $a380 = "STATUS_INVALID_PARAMETER: %d, %d" | |
| $a381 = "STATUS_INSUFFICIENT_RESOURCES: %d, %d" | |
| $a382 = "tapiZwCreateFile() fail: Ret=0x%x file=%ws" | |
| $a383 = "tapiZwQuerySecurityObject() fail: Ret=0x%x file=%ws" | |
| $a384 = "tapiZwSetSecurityObject() fail: Ret=0x%x file=%s" | |
| $a385 = " CZwTrueAPI::tapiQueryExclusiveHandle Ret=0x%x " | |
| $a386 = " CZwTrueAPI::tapiCloseExclusiveHandle Ret=0x%x " | |
| $a387 = "ExAllocatePoolWithTag" | |
| $a388 = "Get ExAllocatePoolWithTag function address fail!" | |
| $a389 = "OpenProcess with NtOpenProcess. PID =0x%x " | |
| $a390 = "Open Process with ZwOpenProcess. PID =0x%x " | |
| $a391 = "source\\tmtrueapi_x64.cpp" | |
| $a392 = "tapiDeleteFileExWIRP:ObReferenceObjectByHandle Ret=0x%x handle=0x%x " | |
| $a393 = "tapiDeleteFileExWIRP:UtilCleanFileReadOnly Ret=0x%x handle=0x%x fileObj=0x%x" | |
| $a394 = "Success get TAPI table. TableVersion=%d CalledNumber=%d" | |
| $a395 = "source\\tmutil.cpp" | |
| $a396 = "System" | |
| $a397 = "_ResetProtectFromClose return 0x%x" | |
| $a398 = "[_UtilQueryExclusiveHandle] invalid handle" | |
| $a399 = "[_UtilOueryExclusiveHandle] STATUS_INSUFFICIENT_RESOURCES" | |
| $a400 = "[_UtilQueryExclusiveHandle] ZwQuerySystemInformation return 0x%x" | |
| $a401 = "Match kernel handle " | |
| $a402 = "Match kernel handle is exclusivly-open " | |
| $a403 = "Match user handle " | |
| $a404 = "Match user handle is exclusivly-open. Handle: 0x%x, Object: 0x%x, SharedRead:%d SharedWrite:%d SharedDelete:%d \n" | |
| $a405 = "Exception in traverse handle table" | |
| $a406 = "[_UtilCloseExclusiveHandle] invalid handle" | |
| $a407 = "[_UtilCloseExclusiveHandle] STATUS_INSUFFICIENT_RESOURCES" | |
| $a408 = "[_UtilCloseExclusiveHandle] ZwQuerySystemInformation return 0x%x" | |
| $a409 = "ZwSetInformationObject return 0x%x" | |
| $a410 = "FileVersion1 = %d, FileVersion2 = %d, FileVersion3 = %d, FileVersion4 = %d" | |
| $a411 = " Cannot Create Memory management key in Registry 0x%x" | |
| $a412 = "UtilGetThreadStartAddressOffset(): _ethread.StartAddress=%#x" | |
| $a413 = "update CDynamicDiskMappingLis Add %wZ --> %wZ" | |
| $a414 = "CDynamicDiskMappingLis Add %wZ --> %wZ" | |
| $a415 = "[DriveTable] DrvTab(%d) Insert" | |
| $a416 = "[DriveTable] DrvTab(%d) Delete" | |
| $a417 = "BEFORE NN=%wZ" | |
| $a418 = "***NormalizeFullNtPathToDosName exception!" | |
| $a419 = "***DuplicateFullFileName exception!" | |
| $a420 = "Err-ValidateAddressWithSize(), Address: 0x%x, Size: %d, Alignment: %d, PreviousMode: %d" | |
| $a421 = " set driver status to create registry key fail 0x%x" | |
| $a422 = " set driver status to setvaluekey registry key fail 0x%x" | |
| $a423 = " clear driver status to registry key return 0x%x" | |
| $a424 = " clear driver status to delete registry key fail 0x%x" | |
| $a425 = "Success get Utility table. TableVersion=%d CalledNumber=%d" | |
| $a426 = "Certain hardcode value is zero" | |
| $a427 = "Check Driver Config certain header field invalid" | |
| $a428 = "Get Driver Config from Registry return code" | |
| $a429 = "This OS support by driver configuration. Build=%d, Major=%d, Minor=%d" | |
| $a430 = "Query EOF info fail: status=%x" | |
| $a431 = "ObReferenceObjectByHandle() fail: status=%x" | |
| $a432 = "ObOpenObjectByPointer() fail: status=%x" | |
| $a433 = "ZwCreateSection() fail: status=%x" | |
| $a434 = "Exception when retrieve file contents: 0x%x(%d)\n" | |
| $a435 = "Set file position fail: 0x%x" | |
| $a436 = "ZwMapViewOfSection() fail: status=%x" | |
| $a437 = "_XMSCheckSystemFileIO(): input buffer is NULL!\n" | |
| $a438 = "_XMSCheckSystemFileIO(): output buffer is NULL!\n" | |
| $a439 = " >>> _XMSCheckSystemFileIO() : Error!" | |
| $a440 = "_XMSCheckSystemFileIO(): CMemHook::Instance failed!\n" | |
| $a441 = "_XMSCheckSystemFileIO(): CMemHook::PreMemHookCheck failed!\n" | |
| $a442 = "_XMSCheckSystemFileIO(): CXrayAPI::Instance failed!\n" | |
| $a443 = "_XMSCheckSystemFileIO(): CSystemFileIoHook::Instance failed!\n" | |
| $a444 = "source\\tmxmsscan_x64.cpp" | |
| $a445 = "_XMSCheckSystemFileIO(): CSystemFileIoHook::Instance()->m_pXrayFileCOnfig malloc memory faild!\n" | |
| $a446 = "_XMSCheckSystemFileIO(): Check file system mj function call entry hook failed! Status = 0x%8x\n" | |
| $a447 = "_XMSCheckSystemRoutine(): input buffer is NULL!\n" | |
| $a448 = "_XMSCheckSystemRoutine(): output buffer is NULL!\n" | |
| $a449 = " >>> _XMSCheckSystemRoutine() : Error!" | |
| $a450 = "_XMSCheckSystemRoutine(): CMemHook::Instance failed!\n" | |
| $a451 = "_XMSCheckSystemRoutine(): CMemHook::PreMemHookCheck failed!\n" | |
| $a452 = "_XMSCheckSystemRoutine(): CSystemRoutineHook::Instance failed!\n" | |
| $a453 = "_XMSCheckSystemRoutine(): Check system routine - System Thread failed! Status = 0x%8x\n" | |
| $a454 = "_XMSCheckSystemRoutine(): Check system routine - Call Back Notification Routine failed! Status = 0x%8x\n" | |
| $a455 = "_XMSCheckSpecialSystemHooking(): input buffer is NULL!\n" | |
| $a456 = "_XMSCheckSpecialSystemHooking(): output buffer is NULL!\n" | |
| $a457 = " >>> _XMSCheckSpecialSystemHooking() : Error!" | |
| $a458 = "_XMSCheckSpecialSystemHooking(): CMemHook::Instance failed!\n" | |
| $a459 = "_XMSCheckSpecialSystemHooking(): CSystemHooking::Instance failed!\n" | |
| $a460 = "_XMSCheckSpecialSystemHooking(): CMemHook::PreMemHookCheck failed!\n" | |
| $a461 = "xapiCheckFileObjectType(): Check File Object Type call entry hook failed! Status = 0x%8x\n" | |
| $a462 = "xapiCheckFileObjectType(): Check File Object Type inline hook failed! Status = 0x%8x\n" | |
| $a463 = "xapiCheckIofFunction(): Check IofCompleteRequest call entry hook failed! Status = 0x%8x\n" | |
| $a464 = "xapiCheckIofFunction(): Check IofCompleteRequest inline hook failed! Status = 0x%8x\n" | |
| $a465 = "xapiCheckIofFunction(): Check IofCallDriver call entry hook failed! Status = 0x%8x\n" | |
| $a466 = "xapiCheckIofFunction(): Check IofCallDriver inline hook failed! Status = 0x%8x\n" | |
| $a467 = "_XMSCheckGeneralSystemHooking(): input buffer is NULL!\n" | |
| $a468 = "_XMSCheckGeneralSystemHooking(): output buffer is NULL!\n" | |
| $a469 = " >>> _XMSCheckGeneralSystemHooking() : Error!" | |
| $a470 = "_XMSCheckGeneralSystemHooking(): CMemHook::Instance failed!\n" | |
| $a471 = "_XMSCheckGeneralSystemHooking(): CSystemHooking::Instance failed!\n" | |
| $a472 = "_XMSCheckGeneralSystemHooking(): CMemHook::PreMemHookCheck failed!\n" | |
| $a473 = "xapiCheckIoManagerAPI(): Check IoManager function hook failed! Status = 0x%8x\n" | |
| $a474 = "_XMSCheckSystemObjectByName(): input buffer is NULL!\n" | |
| $a475 = "_XMSCheckSystemObjectByName(): output buffer is NULL!\n" | |
| $a476 = " >>> _XMSCheckSystemObjectByName() : Error!" | |
| $a477 = "_XMSCheckSystemObjectByName(): CMemHook::Instance failed!\n" | |
| $a478 = "_XMSCheckSystemObjectByName(): CMemHook::PreMemHookCheck failed!\n" | |
| $a479 = "\\SystemRoot\\System32\\" | |
| $a480 = "\\SystemRoot\\System32\\Drivers\\" | |
| $a481 = "\\FileSystem\\Ntfs" | |
| $a482 = "\\FileSystem\\FastFat" | |
| $a483 = "\\Driver\\Disk" | |
| $a484 = "Storport.sys" | |
| $a485 = "PsSetLoadImageNotifyRoutine" | |
| $a486 = "PsSetCreateProcessNotifyRoutine" | |
| $a487 = "PsSetCreateThreadNotifyRoutine" | |
| $a488 = "IofCompleteRequest" | |
| $a489 = "IofCallDriver" | |
| $a490 = "source\\tmxrayapi_x64.cpp" | |
| $a491 = "pConfig->PortDeviceInfoListHead.Flink == NULL" | |
| $a492 = "pConfig->PortDeviceInfoListHead is empty" | |
| $a493 = "pConfig->GResource == NULL" | |
| $a494 = ">>>CXrayAPI::Initialize" | |
| $a495 = "[Initialize] Xray doesn't support current OS.\n" | |
| $a496 = "Allocate memory for Xray config data failure." | |
| $a497 = "Allocate memory for GResource failure." | |
| $a498 = "Initialize kernel struct offset failure" | |
| $a499 = "_xrayGetNtBase failure." | |
| $a500 = "_xrayGetRootDeviceNode failure." | |
| $a501 = "_xrayGetDeviceTreeLock failure." | |
| $a502 = "get KeAcquireInStackQueuedSpinLockAtDpcLevel/KeReleaseInStackQueuedSpinLockFromDpcLevel failure." | |
| $a503 = "IoRegisterPlugPlayNotification failure." | |
| $a504 = "_xrayInitializePortInfo failure." | |
| $a505 = "<<<CXrayAPI::Initialize" | |
| $a506 = ">>>xrayUpdateCoreList" | |
| $a507 = "_xrayIsUpdateCoreListParaValid Failure." | |
| $a508 = "<<<xrayUpdateCoreList" | |
| $a509 = "IsGetDRxParaValid Failure." | |
| $a510 = "_xrayGetDRxMapInfo failure." | |
| $a511 = "_xrayIsReadWriteParaValid failure." | |
| $a512 = "IsPortInfoEntryInList Failure." | |
| $a513 = "_xraySuperReadWrite Failure." | |
| $a514 = "IoTranslateBusAddress" | |
| $a515 = "IoPnPDeliverServicePowerNotification" | |
| $a516 = "Get IopRootDeviceNode: from condition A" | |
| $a517 = "Get IopRootDeviceNode : from condition B" | |
| $a518 = "Get IopRootDeviceNode : from condition C" | |
| $a519 = "No Match g_ulIopRootDeviceNode" | |
| $a520 = "Get PpDevNodeLockTree: from condition A" | |
| $a521 = "Get PpDevNodeLockTree: from condition B" | |
| $a522 = "Get PpDevNodeLockTree: from condition C" | |
| $a523 = "Get IopDeviceTreeLock: from condition D" | |
| $a524 = "Get IopDeviceTreeLock: from condition E" | |
| $a525 = "No Match g_ulIopDeviceTreeLock" | |
| $a526 = "ExInitializeNPagedLookasideList" | |
| $a527 = "Get ExInitializeNPagedLookasideListInternal: from condition A" | |
| $a528 = "Get ExNPagedLookasideListHead from condition B" | |
| $a529 = "Get ExNPagedLookasideListHead from condition C." | |
| $a530 = "Get ExNPagedLookasideListHead from condition D." | |
| $a531 = "ExDeleteNPagedLookasideList" | |
| $a532 = "Get ExNPagedLookasideLock: from condition A." | |
| $a533 = "Get ExNPagedLookasideLock: from condition B. " | |
| $a534 = ">>>DiskInterfaceChangeNotify" | |
| $a535 = "%wZ is Removing,make the associated port entry invalid." | |
| $a536 = "<<<DiskInterfaceChangeNotify" | |
| $a537 = "pDevNode is invalid address." | |
| $a538 = "pLock is invalid address." | |
| $a539 = "_xrayGetPortInfoFromDevNode remaining stack size is too small!\n" | |
| $a540 = "[_xrayHandleDiskNode] _xrayGetServiceNameFromDevNode failure." | |
| $a541 = "[_xrayHandleDiskNode] _xrayGetPortPDO failure." | |
| $a542 = "[_xrayHandleDiskNode] pParentDevNode service name %S. match UASPStor, return." | |
| $a543 = "[_xrayHandleDiskNode] pParentDevObj->Characteristics 0x%x .pParentDevObj->DeviceType 0x%x " | |
| $a544 = "NULL == pAdapterBusInfo" | |
| $a545 = "pBusInfo->NumberOfBuses <= 0" | |
| $a546 = "[_xrayInternalInitializePortInfoList] _xrayGetMaxTransferDataSize failure.\n" | |
| $a547 = "InternalFillPartPortInfo Failure.\n" | |
| $a548 = "ExfReleasePushLock" | |
| $a549 = "ExfAcquirePushLockShared" | |
| $a550 = "_xrayAllocateAndInitSRB Failure." | |
| $a551 = "_xraySendOneIoRequest Failure." | |
| $a552 = "Xray Open LinkTarget %ws" | |
| $a553 = "[_xrayGetRelatedFSDriver] IoCreateFile Failure,err: 0x%08x\n" | |
| $a554 = "[_xrayGetRelatedFSDriver] ObReferenceObjectByHandle failure,err: 0x%08x\n" | |
| $w0 = "\\TmCommPortTerminateEvent" wide | |
| $w1 = "\\BaseNamedObjects\\TmCommPortSection" wide | |
| $w2 = "\\TmUserInitEvent" wide | |
| $w3 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\tmactmon" wide | |
| $w4 = "\\TmUserCommandPort" wide | |
| $w5 = "ObjectLength" wide | |
| $w6 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\tmel" wide | |
| $w7 = "ElamStatus" wide | |
| $w8 = "\\DosDevices\\TmComm" wide | |
| $w9 = "\\Device\\TmComm" wide | |
| $w10 = "BypassVolDevNormalizeReparse" wide | |
| $w11 = "Parameters" wide | |
| $w12 = "\\BaseNamedObjects\\RCM_KERNELDRV_LOADED_EVENT" wide | |
| $w13 = "\\BaseNamedObjects\\%ul_%ul_%ul_%ul" wide | |
| $w14 = "\\BaseNamedObjects" wide | |
| $w15 = "%ws\\System32\\%ws" wide | |
| $w16 = "EnableBackTrace" wide | |
| $w17 = "PsGetThreadTeb" wide | |
| $w18 = "PsGetProcessInheritedFromUniqueProcessId" wide | |
| $w19 = "Unknown" wide | |
| $w20 = "CSDVersion" wide | |
| $w21 = "CurrentBuild" wide | |
| $w22 = "CurrentBuildNumber" wide | |
| $w23 = "CurrentType" wide | |
| $w24 = "CurrentVersion" wide | |
| $w25 = "ProductId" wide | |
| $w26 = "ProductName" wide | |
| $w27 = "SystemRoot" wide | |
| $w28 = "\\Device\\ProcmonDebugLogger" wide | |
| $w29 = "\\SystemRoot" wide | |
| $w30 = "IoGetDeviceAttachmentBaseRef" wide | |
| $w31 = "ZwQuerySystemInformation" wide | |
| $w32 = "FsRtlAllocateExtraCreateParameterList" wide | |
| $w33 = "FsRtlAllocateExtraCreateParameter" wide | |
| $w34 = "FsRtlInsertExtraCreateParameter" wide | |
| $w35 = "FsRtlFreeExtraCreateParameterList" wide | |
| $w36 = "IoCreateFileEx" wide | |
| $w37 = "\\Device\\HarddiskVolume" wide | |
| $w38 = "\\Driver\\" wide | |
| $w39 = "\\??\\PhysicalDrive" wide | |
| $w40 = "\\??\\PhysicalDrive%d" wide | |
| $w41 = "ObGetObjectType" wide | |
| $w42 = "PsGetThreadId" wide | |
| $w43 = "Version" wide | |
| $w44 = "IoVolumeDeviceToDosName" wide | |
| $w45 = "RtlVolumeDeviceToDosName" wide | |
| $w46 = "KeAreAllApcsDisabled" wide | |
| $w47 = "ZwOpenThreadTokenEx" wide | |
| $w48 = "ZwOpenProcessTokenEx" wide | |
| $w49 = "\\DosDevices\\A:\\" wide | |
| $w50 = "RtlGetVersion" wide | |
| $w51 = "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion" wide | |
| $w52 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\tmcomm" wide | |
| $w53 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management" wide | |
| $w54 = "VerifyDriverLevel" wide | |
| $w55 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\tmcomm\\Parameters" wide | |
| $w56 = "RequireOplock" wide | |
| $w57 = "\\Sessions\\0\\DosDevices\\%08x-%08x" wide | |
| $w58 = "\\\\Client\\%c:" wide | |
| $w59 = "\\\\TSClient\\%c" wide | |
| $w60 = "\\\\TSClient\\" wide | |
| $w61 = "DRIVER_STATUS" wide | |
| $w62 = "Directory" wide | |
| $w63 = "SymbolicLink" wide | |
| $w64 = "KeAcquireInStackQueuedSpinLockAtDpcLevel" wide | |
| $w65 = "KeReleaseInStackQueuedSpinLockFromDpcLevel" wide | |
| $w66 = "\\Device\\Harddisk%d\\DR%d" wide | |
| $w67 = "\\Device\\Harddisk%i" wide | |
| $w68 = "\\DosDevices\\%c:" wide | |
| $w69 = "\\WINDOWS" wide | |
| $w70 = "\\Device\\Harddisk%i\\Partition%d" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {93686737B5AF128C8D97C7DC87C8943D7B4AF3AF0DBC2E3CD6749DDF4851AD501F3B44526720BC74BEA7C6B21A62AE7CE0446743B9C1162F728213326E75E9CEE30F6FFF1D920670E036C5CEFA87EC0F6093A9A646DA24D07A075C481333E3EE99837C13436ABE0F3385365B1E2F3F6E1F9F14D1407716102229389895DC817290F4EAF3387369CEDEA77D6CECD635E4177B0B2B5A8E54268ADF0A408ECA89D2690E8200F6D266A496B4904126F56C99F7118C4DD0C499CEAB23773BDDE3A347FC058F11C2C1381892B85A877FDCB754FE7D35C34D241A2160FB7073DBA787DB2ABEC25918B197695F382FBED1590CC4CC54D3DFBF728DA5D91E9CBEBC06BDAB} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "IOCTL_PHYMEM_GETCHANNEL\n" | |
| $a1 = "IOCTL_PHYMEM_SETCHANNEL\n" | |
| $a2 = "inBufLength=%x outBufLength=%x" | |
| $a3 = "IoControlCode = %x" | |
| $a4 = "Call to MmMapLocked failed due to exception 0x%0x\n" | |
| $a5 = "Map physical 0x%p to virtual 0x%p, size %u" | |
| $a6 = "Call to ExAllocatePoolWithTag MAPINFO failed\n" | |
| $a7 = "Call to MmMapLockedPagesSpecifyCache MAPINFO failed\n" | |
| $a8 = "Hardware ID: 0x%08X\n" | |
| $a9 = "!!!!!!SmiPort=0x%x SmiCommand=0x%x SmiSubCommand=0x%x!!\n" | |
| $a10 = "KeActiveProcessors=0x%zx" | |
| $a11 = "SmiResult=%d\n" | |
| $a12 = "!!IOCTL_PHYMEM_GETCHANNEL\n" | |
| $a13 = "MutexType =%x AddrRegOffset = %x AddrRegValue = %x\n" | |
| $a14 = "DataRegOffset =%x DataRegValue = %x WaitTime = %x\n" | |
| $a15 = "!!IOCTL_PHYMEM_SETCHANNEL\n" | |
| $a16 = "!!IOCTL_PHYMEM_INFORM_FP_FW_S3S4S5\n" | |
| $w0 = "\\Registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Power" wide | |
| $w1 = "HiberbootEnabled" wide | |
| $m0 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m1 = {B2C903159C2CCD4711FF52F322EA54BBA49BE1E9E1230130264D25CD4AB95B0B79625B9A7B70A16226430B51060D58145DC6B24BF5C9F20AB4F6A12C6EABFF2A819A1132FA0EF5F9ED9FA1E0017E916D2B016AA9E82DB6144561235B1DE77004003A398900477A522978C287894D7DFE7764D2201CBD0D403A9310820D43CDB921B86D1B8ECBB7374E758DD0678B821EE55542B617417393FA6755C1B81FA5969C60C34318D527D45F86FEAFDC95111862BE2CA9D308B8CA264E23CC2A0DF0F69557FCC7F3E1BB046D7BDE904A6C61798CA3FB70231E302C240645FF941B76A1DEC66764C85AB8E646D5134BB3D660204B8F0949359DD4FFDD4DB3EF3D3BFCBD} | |
| $m2 = {A3645DFC7CB3E08235E0E0F6C62AE649753BCC6EE053A99F1F6459E67C6B7F6B8C9D55F892E39ED55A635B024950D983CE6F66EEDDCB85E95FA5F9D4877488443B19C9E5F5919FC61439AC24EAA84B2C9189CC5E28F464B650B7F512B373960A67A3BE619FAEF3FD1278750EA65B14FD45238E8644557D1886058C5587794846F7CA0E8DA7DE4E5FE2A8B62D5902618861721868B9B87CEEE6E7342F317781301FBB36018DEF27E3F79AF04C31648DE3EBFA1987A87ECFEC8C0C365B7AC17AB878C7C9062E4610C88DE80460DBBC7374FA4ED8FEAA40F1B2CE704683E9DA40A1593AD915095799563093F3C961CCD008CC6BEC624291AC02C0EFA4F089118F77} | |
| $m3 = {B906741C5DB420AAA921A82A4246AB25201725CB228F90A2A0316B830575AFB20E7C12497B6A8664840F83DC64B9B16E16053E1C95B9E7E7886DB862819079D4DDF5E296F9C3B58823574A1ACF7129E908008FB598E3A732FDAC2EB8F49353F40A394391AFD56BE8D49F46BD8E3DABE2F92BD4EA00406624B7E87FB444758D789AAE31C137CF4E1F5BF8454AD73FC2C9920664BEDE068AAFD0E88AB1F02C88006F0BDC85A74CCB06BFD62E2A326E2971AF8E22F30FD0D898482DA808CBB68B23C263E0B673EB6F7D264F8BF7343D37860CB77827F4C286DB436B5AF83D3DF4E8B06256C6E7ED78A1FBFD7A724F3265C47CC3C477A0043232ED8F3FAF86DD7ED1} | |
| $m4 = {E8822D99F9CAC24295A580734070D29E56545CA9C4D241068FC933FC4D45915C819FED2C9CF81659DF9EB52415C298B9B47749DC89C40ADAAFCB5E6BEDADB07131EBCF3A400C464D93EC8B7A360803AB0C34FE184982FEC7C73148807C1EA20F920E50C9C687EB363FD830C3FFA6F7FBA2CD6F7323FEAC560590F032211689C67088F905977DA3C743DD02E83B3DEDB141A3ED3FBEDB9548C4EE1EB3F2BC0C2B99D0C65D124281E1836E82733F264B1490AE59660AC48DBED2CE06AEAD846F48849B4F40B9F14CF2AF98FBF6CE405D5CF6A8F12FAFEC8922F26B1865B1C173ADD7F1D8CF1E0A745C42B8687EB7D5770A27567C0F62A43F32146095FD0704A209} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "PsSuspendProcess" wide | |
| $w1 = "PsResumeProcess" wide | |
| $w2 = "ZwQuerySystemInformation" wide | |
| $w3 = "ZwQueryInformationProcess" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D8D27FCC0552D15C3986903D9E05D25CE52D4F9AA84DCEDF21EE3A2FCBDB5BF42510800E98E97FCD8CAC5FD2C6060892A2BDE2F00DEFD3164294890EA94D4A13E6D4EF8CB99C85842B2580C89318BB991958938F0CC8CF4F2A8CE68FEC80AD5756D63BA7EA0A804E709F00AEB91A484EE9B952F39722CAB2AB7147B135DE910A3481219E243274A185508716F8FC4315039712B0581E271EA9A1D2B2B8EE53AD85C54F5F60DEAF3351289E02F197E1CCE0E0560642C3CDDD3316D0311F30DCEAE880011D6FAFD04365084A90C5FB7DDFCF13194FE72C813116730B176AEC88E31D7D70967B1F710FE15A1BC680ACFF7814FB596706C31FA8735B75B121951A77} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\driveragent%d" wide | |
| $w1 = "\\DosDevices\\driveragent%d" wide | |
| $w2 = "\\BaseNamedObjects\\HW64IrqEvent%d" wide | |
| $w3 = "\\BaseNamedObjects\\HW64KbdEvent%d" wide | |
| $w4 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {A7A4AEA8B927522DF66617007C2743C58A71463BAD6826C7CAA494CCA71CB6F09B72C4DADA7C65631760567C90D9732523D63A5305509D3A45D3313C236096ABA3986D60774731A18DFAF84784A131A6FC1EF2267AAF4824E7779DBEABE6FB974A925819287ABFDA00973A3D6F15986F4F471D22C4AD47F9F2FDBD3A5D77D400608EEB9F057486A010D8EA89B0D00B6B4D6FA87CC249D3D68FE3B21A6D7871946F5D096B7D81F7E7EA0BB617AAEC86F6189CF1DBE4CE1893EB8E9BF8C4724420181254A164E217D4068BD394D6EF3ABE72E8EBCE90FEC883E440B2C68BD0C960043EBF2DF29C4D92653876C86AE40A8EC8FABA9F5C6B0811944FE7C4911A5B95} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\CrystalSysInfo" wide | |
| $w1 = "\\Device\\CrystalSysInfo" wide | |
| $m0 = {C6BCD918CF65D1873C8AFC9A0942B968C9F0BD6807B070611D73DFACDDF6BEDC36127E5C6079BE65640F2C12A65CB053C97A98011588C787BD81902DAD544B4C0CDA4DCF87A1D155CEC97BE3ACCA492FBB2222210D6ECE8421DD6B0A3F7FA02952C441029D8FBD2392A35BAB14FDFB5C7A6B9CC71AE6E4D6C9FCECE71D916EA62B6337EE7BF76FBD6137AD7E690A2FC6EB34BB3E09E8A9806DEC1A9D897A93336BE05307278ACEC04DA7E20A92FC5FF15716E863E7D251F50D8E892DB6C291C04592488087522D84F46D7201E5CF9BD831FE2BA6AAA5397F3AC78A7AD5FB27A0FC8CDE13C0F280FE92FEA842D30F49A793BA0C64B408D6B8C2FD02EA475DBAE7} | |
| $m1 = {BDEF30F130F134A98965774D46A78D90FDAE4F8ECA2817BA59E3A8920A45032A8A8FE50950555281F0A391B1D9122A81F6C2031C3C82C072CDF1A700D7F5549C0A47EE9A9541928EA0AD093DD3EBA274AD9F192009B67DA65E359F4F396A03B58AAD1F96626B17B9AB8760D55D6DD992C9D013AED488D950A8449104B0EA47EA5FB2ED04C1D7017C21F8C47123FC6B4C654433C38D1DE6D2661C522946C406E70B35F05901660089CF9CE37B78AA53E2EEAC3595E7FD5DD7429495D31A6E315547D7EBADC74C9F5471831A17C8F9E7CE5801F436BFAE3F599F657C40075C732034A212C349F46840691E89E085E93AB79763BB47B0396B41007EF54BB87FE321} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {CDCB1B731DA7FFDFC3AE4782C100F2913C1080D775E6A2E0B08AF86B73C248F9D98482DB6FBEAEBF56529935AFD6C2E3E2D1D4B6A79350720480F4C96B15F3FC7C3B584F77E24904628B999062038592FE0C6BDF41C4B28D581E88B9106104B4C7839CC2B116D6BD649507F9F9A65A3991523A2C27F8D0DCD31A9A598510B50061253B3D1317C8114C76A6FE4C61CC59D2C44330215C1540094F73E1C195A465668FDBD3A83011F9C5AC131150A84FB7541FECAF991A39A0ED2803117BBAB0B2FB843EB6F8744B899B990A9AE7F8894DB889C9B4A500339065C44260CEBC43423813D5DE5B6BA24ED13F4A3945675801B82353EF370766017FBF6709050BE7BF} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_ACTIVE_X" wide | |
| $w1 = "\\DosDevices\\NTIOLib_ACTIVE_X" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| $m4 = {D344CA36E2A4B301068AAE6A67185909CBECE0DD0895A0069EB53D13C93F64806A17BE17C85C7A9F4E5516A462BBE7A31C8DDEF592BB3B14FB11BB17C626A0559499A911B2A5340DA5469690096A12FFCED32D4926DC591AA6D229A1F107391DD0660147449C4F7F65BF892A40109C011150DCD547E37A29C578A2AE74055B7295BF7B2721F75FA4D2376BA10BE4210AD4B713A43FBBBE97B2EBE0CB3917F3B096019C79774F84CF890B893AE01B54632ACBAF60C16FE1AD445E787AD217F60DCF4AB4CA6327CA5AF7BA5B3FC2F4D7DDAB767ED82F2E0D873055CDC27257E8BB2BF4CA19ED0D84A4B9DFBC1B803C912F41F732FD4E31E1EC83190791FC6240A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\MyDrivers0_0_1" wide | |
| $w1 = "\\Device\\MyDrivers0_0_1" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {EC7BEB48AC5B80C696F34AEAF5AB1864F6B5E0D3C80EE4DBE5858FEBB4A2779C3E978E5151B0288635D3111EC448BB3498A5F9E7EBFD64DBF1834FA7D5F956F630064127C4B567E9ED0A0C0351A86D2D0DF95C12EFBD9B386B67BA3CC86D56A486DF547DBE8CEAC36EE830FEC9D36FDAA544F231A356F85042C64A2ABD611614B6FC5CC6F24645CFC6DB2288EBA14C4FF8F6AB697FA048A959D2B63F4DA1CD954EA4C86DE4A197AF48E32785837FCBBA76DFC34B50D085AD3A87EB7E3B92823ABE95292732E4E69CEEE878FCBA3EACCD2C9D3386EA6A7065077E4684B09D0224E27F945398FA7D85C27E0378E0F918ACE87C1330A34B40D103657FED343CC12D} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m1 = {B2C903159C2CCD4711FF52F322EA54BBA49BE1E9E1230130264D25CD4AB95B0B79625B9A7B70A16226430B51060D58145DC6B24BF5C9F20AB4F6A12C6EABFF2A819A1132FA0EF5F9ED9FA1E0017E916D2B016AA9E82DB6144561235B1DE77004003A398900477A522978C287894D7DFE7764D2201CBD0D403A9310820D43CDB921B86D1B8ECBB7374E758DD0678B821EE55542B617417393FA6755C1B81FA5969C60C34318D527D45F86FEAFDC95111862BE2CA9D308B8CA264E23CC2A0DF0F69557FCC7F3E1BB046D7BDE904A6C61798CA3FB70231E302C240645FF941B76A1DEC66764C85AB8E646D5134BB3D660204B8F0949359DD4FFDD4DB3EF3D3BFCBD} | |
| $m2 = {A3645DFC7CB3E08235E0E0F6C62AE649753BCC6EE053A99F1F6459E67C6B7F6B8C9D55F892E39ED55A635B024950D983CE6F66EEDDCB85E95FA5F9D4877488443B19C9E5F5919FC61439AC24EAA84B2C9189CC5E28F464B650B7F512B373960A67A3BE619FAEF3FD1278750EA65B14FD45238E8644557D1886058C5587794846F7CA0E8DA7DE4E5FE2A8B62D5902618861721868B9B87CEEE6E7342F317781301FBB36018DEF27E3F79AF04C31648DE3EBFA1987A87ECFEC8C0C365B7AC17AB878C7C9062E4610C88DE80460DBBC7374FA4ED8FEAA40F1B2CE704683E9DA40A1593AD915095799563093F3C961CCD008CC6BEC624291AC02C0EFA4F089118F77} | |
| $m3 = {B906741C5DB420AAA921A82A4246AB25201725CB228F90A2A0316B830575AFB20E7C12497B6A8664840F83DC64B9B16E16053E1C95B9E7E7886DB862819079D4DDF5E296F9C3B58823574A1ACF7129E908008FB598E3A732FDAC2EB8F49353F40A394391AFD56BE8D49F46BD8E3DABE2F92BD4EA00406624B7E87FB444758D789AAE31C137CF4E1F5BF8454AD73FC2C9920664BEDE068AAFD0E88AB1F02C88006F0BDC85A74CCB06BFD62E2A326E2971AF8E22F30FD0D898482DA808CBB68B23C263E0B673EB6F7D264F8BF7343D37860CB77827F4C286DB436B5AF83D3DF4E8B06256C6E7ED78A1FBFD7A724F3265C47CC3C477A0043232ED8F3FAF86DD7ED1} | |
| $m4 = {E8822D99F9CAC24295A580734070D29E56545CA9C4D241068FC933FC4D45915C819FED2C9CF81659DF9EB52415C298B9B47749DC89C40ADAAFCB5E6BEDADB07131EBCF3A400C464D93EC8B7A360803AB0C34FE184982FEC7C73148807C1EA20F920E50C9C687EB363FD830C3FFA6F7FBA2CD6F7323FEAC560590F032211689C67088F905977DA3C743DD02E83B3DEDB141A3ED3FBEDB9548C4EE1EB3F2BC0C2B99D0C65D124281E1836E82733F264B1490AE59660AC48DBED2CE06AEAD846F48849B4F40B9F14CF2AF98FBF6CE405D5CF6A8F12FAFEC8922F26B1865B1C173ADD7F1D8CF1E0A745C42B8687EB7D5770A27567C0F62A43F32146095FD0704A209} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "DeviceObject:0x%x\n" | |
| $a1 = "KbdDriverObject:0x%x\n" | |
| $a2 = "pTargetDeviceObject:0x%x\n" | |
| $a3 = "pTargetDeviceObject->NextDevice:0x%x\n" | |
| $a4 = "pTargetDeviceObject->AttachedDevice:0x%x\n" | |
| $a5 = "carete pFilterDeviceObject:0x%x\n" | |
| $a6 = "pLowerDeviceObject:0x%x\n" | |
| $a7 = "pLowerDeviceObject->NextDevice:0x%x\n" | |
| $a8 = "pLowerDeviceObject->AttachedDevice:0x%x\n" | |
| $a9 = "pFilterDeviceObject->NextDevice:0x%x\n" | |
| $a10 = "pFilterDeviceObject->AttachedDevice:0x%x\n" | |
| $a11 = "devExt->LowerDeviceObject:0x%x\n" | |
| $a12 = "devExt->TargetDeviceObject:0x%x\n" | |
| $a13 = "Detach Finished\n" | |
| $w0 = "\\Device\\msrhookctrl" wide | |
| $w1 = "\\Driver\\Kbdclass" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {E1A36D629FB979AB9C848107545AFC472A5FCBEDA81ECCD668D098CB60589DB53BCF60E68A9442795B8BC957361D8CB85D93A8BFDFEBDF3661F45B2BCB17A56E9D0CBE8233934C75468643FE57C7CD643AA786E52FF5D7F6EFA3DD801F555F5790BA4F4F6D86AD90E9620C4CD1E565F9383BFEE99DA1834EC165DE6503CC9000D95A71E8DB2CDC07EBC9D4356F8D92A5ED0248459C29D00AC6283469119D13FE9BB1D0594022733AB60A3D22851FEF7D038080CE11E9D9AB883748440965CC75A9C1E32AF1E0FCD58CFDCE93FA4395519756FC5AEBA55A08FC9F5E8DC793F95377A888EA3522A2D07A84488EBA9232E2FDF06267CA207826A83261FC654299BF} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m1 = {A3645DFC7CB3E08235E0E0F6C62AE649753BCC6EE053A99F1F6459E67C6B7F6B8C9D55F892E39ED55A635B024950D983CE6F66EEDDCB85E95FA5F9D4877488443B19C9E5F5919FC61439AC24EAA84B2C9189CC5E28F464B650B7F512B373960A67A3BE619FAEF3FD1278750EA65B14FD45238E8644557D1886058C5587794846F7CA0E8DA7DE4E5FE2A8B62D5902618861721868B9B87CEEE6E7342F317781301FBB36018DEF27E3F79AF04C31648DE3EBFA1987A87ECFEC8C0C365B7AC17AB878C7C9062E4610C88DE80460DBBC7374FA4ED8FEAA40F1B2CE704683E9DA40A1593AD915095799563093F3C961CCD008CC6BEC624291AC02C0EFA4F089118F77} | |
| $m2 = {D31DC2E03F425CAD9E411688EF794A737D5894FBF5D6C58BB981575982AF2C3E87DACF25C634233395F710AE18F7A6FF5142FFDA14E62F01CB3AA4B50DDAE03309C657F362E3579872BF880590313F45BE7F0A82161DB9C3F70040D4379CFA94AADB22BC61A875B6C7454916E1DEBA515000F676A64327B03CE4A221643848AC8983F52BFD41BB5A30D3BF35CB89EB9C10C65DD5E36B2DE7FD6CF9DAB317FFC382DA244E766DA5283352782740FBFBF86D389703818352DCEC87A2E0AB3F87A9675C5ADC216A5B09261E191F09D3830C11A7CA7EBD7144CC9BB95567EE29E2C22C576CDDB096B30659990B920324AEA33527AA4B3AB8EA94FDC91AA9B7B6CC6B} | |
| $m3 = {C5F923E69427C48014A480325F40A38D6F70C0E53671713A75A4AA1A9294895EAC2371CB4E677D413FAAE34BB77BBE9DC1A8388F692F3A24E9775912C7660443C20D2682894019F22CEAE74CE77C051AB8FF88094F2637EF3AA4FA226C88C94A1B61F2AE105E6FBCD1799B591860E5EE29B5032AA4CEF183194F6905732809FB22109322A090191A4C31F2D32BD88443AF3C63FF98DB20D2092B54C1EAFD6A83E710A31271F5D6D7E1127AD5E0565ACEEA015B68655BC13F585233A935614E22CB81CA36A312CB06D6CF1B4D187EB992B912CF4026D89A3685B315AA4793846B07BBBCD5B3DE250011890068C1293CEA3E2DEE50ABD71C3006783CA510236791} | |
| $m4 = {E8822D99F9CAC24295A580734070D29E56545CA9C4D241068FC933FC4D45915C819FED2C9CF81659DF9EB52415C298B9B47749DC89C40ADAAFCB5E6BEDADB07131EBCF3A400C464D93EC8B7A360803AB0C34FE184982FEC7C73148807C1EA20F920E50C9C687EB363FD830C3FFA6F7FBA2CD6F7323FEAC560590F032211689C67088F905977DA3C743DD02E83B3DEDB141A3ED3FBEDB9548C4EE1EB3F2BC0C2B99D0C65D124281E1836E82733F264B1490AE59660AC48DBED2CE06AEAD846F48849B4F40B9F14CF2AF98FBF6CE405D5CF6A8F12FAFEC8922F26B1865B1C173ADD7F1D8CF1E0A745C42B8687EB7D5770A27567C0F62A43F32146095FD0704A209} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $w1 = "\\DosDevices\\NVFLASH" wide | |
| $w2 = "\\Device\\NVFLASH" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D4FBC263170503F7B8FB07B34346F8E2563A15597A9B3BE02A8A7C3608EDBD2C61F8045DD1DBAAD75ADAEAD09884D725F143A9E17566761E6CBE6684A43CB2798419F09BB0E1710BF7CEC57B57C6F820B3A04E7DDAEF90F98E4097F2B285A8D4EA6A27657691D8E374B833B26275753242FD524FFC63F70F16790635070BF7D8EA7A528C52385171558FE9DD4081C77DD98B53C6CFAC06CDB7F579DC006B5130FA9D670E372930EDB7163761F75E92D404BACC83611374B5A9B3BAE6FBF9D1320679EAB528A29363833AFE393E4DA2C465A556F9B4A7D0261BE3AEA9AA5C1FF6885E9D891F9FDDC09751A5DC292F7DB3DC00E37B666B41BFE341434E4ABD5AAB} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\inpoutx64" wide | |
| $w1 = "\\DosDevices\\inpoutx64" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {920054005E215673028E8E5E748C6A8E6B71A5EC94EA0BD17877A60A83CD965B4DAB3182B798561010A5256D58621C1EEC928935CB35FEBFCB106778C8725C735DAAD2FC354BA2DA5543E56BA75455BCDFE7791BB5097BE46B924E41AE79291D5E8F6DEE17612F57E0BFECF08854CE5F6F699BD3A8D93EC6CC1252BBFF5F42E451405C56CBC3BE8719827576EC439A158CF312320D1A052104E614E6546DD41A65C8366DDF00B3629281604789C31CD2E0331E5BFC901CBB5A291FCC7C06AC5E2526565A2B032DBD7B7BAAD9F8798703933BA8287C60B9AD27C4F6D6225BABD5501D1F29FF60D865B0EC1F4D525BC45560C7AA1B87AAEDC8D59472C6E7ABE007} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "PsSuspendProcess" wide | |
| $w1 = "PsResumeProcess" wide | |
| $w2 = "ZwQuerySystemInformation" wide | |
| $w3 = "ZwQueryInformationProcess" wide | |
| $m0 = {DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B} | |
| $m1 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m2 = {A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF} | |
| $m3 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m4 = {D01802EEEDA28D0858630F26D7DD227B88F6E4C7EC3B261878D3C7A420538D837CA53F7EA5C82B47DF0DF5A6D9C31D259360CF7CDCEA032CBE787F5C486DA702D949F8A1EBEB9A617C9FC026D6DC15D8B8107C20BA5EF428F6A8EAA75C7CC69C9090343CB622ACFEBA0C3A1ED65E84B65BF0A38170788A8D46527BFCDB49F3291311744F8D16B3C2E3A02DC703049DCCC372E10E0CFB028EF126177B6EAEF8B7338BA6614B45DFF22544C7F7B0982336DC28790AE89B7288A8D8E8AE7B7F0A6445A5F057929A7706451EEB9FE866F37A7D92815F002D1EB8F656135A620DB747A18F72EF835E82E09498E1ACA5AD8637E0A7D3BAB13E7AEB45A8F1C1447DE203} | |
| $m5 = {AF1AE873DA8D292DF0C8E7ABCE02CBE51D0C4F1F84FA4F24DF9AF97388D28D8527F2A0AF74431849E15AFF5BD0AD78DB09B37B7623538382D306C24C6830C2A4937205FBBA5A062157DDE4B9F2FEA9E8D79A8C4494212391C2FBCF0A2E3B1E6C15B5147BE84ED970032839A13D874E5D69A2E241C2E1B19E20A050A3028BC3F899492B50494DEE9C91D094B61FF804FDDEF2C3C8E842D5394D2EB498B83B98D1BA4D3B0C5AAE3C949A9A8C6BA535BB51C561DB583DB5F1D794665C0B5FF018DF45280F9EBF7413503ADEBE00B8A39DF795679ABCE9C08F62F5CB6A8810A8753556E181B4FD9440E4031AD63D735D4E81A5C1C968587B71D3251321D68C3A632D} | |
| $m6 = {F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC135} | |
| $m7 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m8 = {BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB1} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "d:\\dell\\flashtoolsnew\\winphlash64\\drivers\\phlashsys\\wphlashdriver.cpp" | |
| $a1 = "IoctlInitialize()......" | |
| $a2 = "IoctlDeinitialize..." | |
| $a3 = "GetDeviceID..." | |
| $a4 = "SetAttributes..." | |
| $a5 = "Fail to sense DeviceID=%xh" | |
| $a6 = "SetAddress=%xh" | |
| $a7 = "FlashSenseID(Platform->Version=%d, DeviceID=%xh)..." | |
| $a8 = "verify(%d, o=%xh, c=%xh)..." | |
| $a9 = "dwResult=%xh" | |
| $a10 = "RomStartAddress=%xh BlockAddress=%xh BlockSize=%xh PlatformBlockAddress=%xh" | |
| $a11 = "DescriptorWriteEnable absent!" | |
| $a12 = "FlashPlatformProtocol->ProtocolVersion is wrong!" | |
| $a13 = "pFlashPlatformProtocol absent!" | |
| $a14 = "DescriptorWriteEnable()" | |
| $a15 = "DescriptorWriteDisable absent!" | |
| $a16 = "DescriptorWriteDisable()" | |
| $a17 = "DescriptorBiosBaseSize absent!" | |
| $a18 = "GetBiosRegionInfo()" | |
| $a19 = "DescriptorMEBaseSize absent!" | |
| $a20 = "GetMeRegionInfo()" | |
| $a21 = "DescriptorGBEBaseSize absent!" | |
| $a22 = "GetGbeRegionInfo()" | |
| $a23 = "DescriptorECBaseSize absent!" | |
| $a24 = "GetEcRegionInfo()" | |
| $a25 = "DescriptorDescriptorBaseSize absent!" | |
| $a26 = "GetDescriptorRegionInfo()" | |
| $a27 = "DescriptorActiveBios absent!" | |
| $a28 = "ActiveBios()" | |
| $a29 = "GetCurrentMeVer absent!" | |
| $a30 = "GetNewMeVer absent!" | |
| $a31 = "GetFlashMemory" | |
| $a32 = "GetFlashMemory()" | |
| $w0 = "\\DosDevices\\WinPhlash" wide | |
| $w1 = "\\Device\\WinPhlash" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {AE9BF43E6972F6E353439B858675515F462F8F84E771129BD1B942445F239914FDEA2F87B0B23802732B8DBA068C2F46877B2E7A3ED6F72A2C988D12556F8655A14329D57A394524C5BE820BA7BD1BDEACC5EA539ED0BE75E36C57E6E024BBED920DB215D8870F04F0D4442FD313A0846473CC2A6D715F106B705919C86CF029} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\AsrRapidStartDrv" wide | |
| $w1 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $w2 = ".Translated" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EFF813CA43D195BD645B01FC099DD99A44C4AFB0CB5D4E521ACDC1B74CEED891C9A2EA371DE16EC9A62D3988E018C0D22A2D6BF72C440B9C6BA277D27158975F136FAE88BE5FAF7B7BEDF49B61EA77086968FBAE43CFBAF93230DE4303D86F561572CD2A92143986595D8C347A2E6738F52EA1CA9691884BE506F8B0CFD6418BD0FAB6BB260FBB42947D184D6D38D6062EB24FCBF831355269660AB355AA9D94A12311F1B2C59148D9B80A3BCAC20D7018D3B1711D8AD8CAF44E82558A47D9C50CFDFC422C729A1E96237A2E10CC3E69702985FEEA04BF3AC9C289FEC334A6281C773B6FD090C1ED5D5514DB91A99654E82BC4508B10FE50EA23DB0E8E798211} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\" wide | |
| $w1 = "\\Device\\" wide | |
| $m0 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m1 = {B2502848DDD3687A84184466755D7EC4B89F6326FF3D439C7C113810255573D9752769FD4EB9205CD30AF9A01B2AED55562161D81EDBE4BC336BC7EFDDA337658E1B930CB6531E5C7C66355F058A45FE764EDF5380A281209DAE885CA208F7E530F9EE22374C420ACEDFC61FC4D655E9813FB552A32CAA017AF2A2AA8D35FE9FE65D6A059F3D6BE3BF96C0FECC60F940E707A044EB81516EA52AF2B68A1028ED8FDC06A086509A7B4A080D301DCA109E6BF7E958AE04A94099B228E88F16AC3CE3536F4BD3359DB56F641DB3962CBB3DE779EB6D7AF916E626ADAFEF9953B7402C95B879AAFED452AB29747E42EC391EA26A16E659BB2468D80080431087806B} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {F1B29DD4C26F2A9192C84D7EE843BD3739CD20017682777BCEDC1630278D1C9B98F5950ED24F3F3B233E9A6368E9EB0045BA13B00216458BB3D0630FAA463503F652B759333E447B5F760735DB3BB1D40ACC1643CD734C0C7BA3C8472964674D025752B8B84B754EAE0CC3EC4AA775A1858D055C2ACCE5A3F641AD6733FBE699} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "c:\\windows" | |
| $w0 = "\\DosDevices\\MyDriver" wide | |
| $w1 = "\\Device\\MyDriver" wide | |
| $w2 = "\\DosDevices\\Global\\MyDriver" wide | |
| $m0 = {A64463E548D1ADEAD6DF6D1A1596FD45B155B3E89AD45CCCEBFEBC6445A782D5934F4C02D2B39BAE4A9E59EDAF8F37C6FCC633621F1173F2C407DCE4315111B834EB9D604D0865A7166E973054CC31CFCFADB63A280842D2F0D7ED40BD1D350459B2ECDE34D8BE71B96CDE6D857A431AA62549CB590621E38D5FB096425389EF3FBC6AB5612E9BDA21E824C71244CBBD1FD021B4B354247F7FCB04BE3CC84F551AD831213FDB769C093C3B1E26D488CD9A9F64BB9585CC153EE29DA0FFF8B6287CD1DF56EF8A1C42A380799E517719E98BF4F6A6D20A8DDB5E238B57352E18196E541F5B3087847F60B8CC713B61C60A4090D47FD1F77E0FEA4C87D3371C8A81} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\AsrOmgDrv" wide | |
| $w1 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $w2 = ".Translated" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EFF813CA43D195BD645B01FC099DD99A44C4AFB0CB5D4E521ACDC1B74CEED891C9A2EA371DE16EC9A62D3988E018C0D22A2D6BF72C440B9C6BA277D27158975F136FAE88BE5FAF7B7BEDF49B61EA77086968FBAE43CFBAF93230DE4303D86F561572CD2A92143986595D8C347A2E6738F52EA1CA9691884BE506F8B0CFD6418BD0FAB6BB260FBB42947D184D6D38D6062EB24FCBF831355269660AB355AA9D94A12311F1B2C59148D9B80A3BCAC20D7018D3B1711D8AD8CAF44E82558A47D9C50CFDFC422C729A1E96237A2E10CC3E69702985FEEA04BF3AC9C289FEC334A6281C773B6FD090C1ED5D5514DB91A99654E82BC4508B10FE50EA23DB0E8E798211} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\IoMem" wide | |
| $w1 = "\\DosDevices\\IoMem" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BFFE5FF6CD351E7280E24CFA4AB1AAE072292586BEDE7B2209177B5AA6DB78237E32359E55DC50F7BD8A6EF2DA3CA5D0F19960F8DC8D6FAB3304DE0522A7C7A3D550F34D15C0CDC49ADC02D735E77199524A9D1EE7ACA6858658D72DEFC0D0AE9907AF9CA23664705358166EFF66520EC8D6C6589BB5CA74D69F04B2EC4DC01F0809BE6D2B8E648A3957A5D27B55DD20FB59D91D8C1FE35B08470772E2C3F44B571857F619362E05B161DDD2D0E9A9A4D14BCC53145F58DBCE222565AA894E9DFEF5085DF02C69BB6D0420976CBB47A16AF603760C6AB830731B23F413DB192A1241DE6F151DFEC63008F50E5195B9B122D1E127A32AFC1309653E1B71285D29} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {E4060A27CBB70F309A41CFFB9ED787C959A391681EC69820AD8207B05474D546278A212BC5DEF19585F242F6608B7B02B075B5CEFE6BAA6E2EB907BD6FA8368F86125506FB5DC3E14AAA6136DD6B1C24E5F3B64D2CE8AC551062EF090FAD864698CE01B9003FE24FE54C1AD55BC872EA663225F66828BDC318537F981D0F558B} | |
| $m1 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m2 = {C30CB7120D4D688A33DE3605F03CBAF5DACD0E537B469F82F26213D7C177ADBB81377E4F1E9381C10622DA1D5084C6979592A993B63DAB867919547D0E16044CC488972CC6A1A85F153AD2642BCC3E0C7AE8A456B11EBBCF84CE8D353A349C6C2DC077B530A91F67E63A09443A437241A291C3469A1FB6B9A70FAF1C751B6425E7086C1447F5471ADE8EEAA263957DF5A8AD55A2649B726FB902733F398A395CC4FE8FFB119CBD10194963D043228BD6AB92997414CF3007BE4FBDFD8A8F9E5ADF6D3CCC5A995090B9ADC29743C25FEDCD333D87CCC1A05BA9623B787D64A3AC4D1F2BD703116C71548AB0ABB11CD67D23DB40073726DB50AF383DA607756F97} | |
| $m3 = {CDC23D5D7722D0C27D3832C315831F426A3B5366DD6A36440D69CF688D89459F7E2FEE423A337C3E00D3976AD85AD5C34D920A5F0650FDBF6CC403A28260D8ED522E1374DE97C645217B55F6EAB16403FC746BB25FC76C6C43148A241037499581D24812A5A2764950217FCA85730A3C5DB52EAD90AA5E4D32CB1793D97F96C0C0896556D9C5B13F981B27FA49EE1D1BCB068C301C3BC5A7705BA8AB185AFEC8F68EBF015D8F6198340F5851FFDF32EA54651C142B6CFC0C901967ED9BD9DA639BD65A24A3748E082300A192B51E0BD108A0667F921BA3ED806402498FB684EFD1558E5EA9975AC50802889456BF92EB2A2D063592B5373631ECC3FE7A3BC285} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "GetDevicePropertyString: IoGetDeviceProperty() for property request returned %x\n" | |
| $a1 = "GetDevicePropertyString: Could not allocate %d bytes of memory\n" | |
| $a2 = "GetDevicePropertyString: IoGetDeviceProperty() get property field size returned %x\n" | |
| $w0 = "HalGetBusDataByOffset" wide | |
| $w1 = "\\Driver\\ACPI" wide | |
| $w2 = "\\Driver\\PCI" wide | |
| $m0 = {C1A5DFD739BF5056A119F26435D38D9374E22ADC04C322C576C43CADDF4C8BC8C4795A3B6EB346E7DC1FA17BCF4188D3BF2CFEBEAC5CC4C250F9E4F957F872C620A78D346F7B76AC9CDF41449445236734D916AD8DE1EDE4549FD700412000DCD5F2FF6AA7BA96C31BA03E07DCDF3F41918A2DF8289FA337B11CB6FF844663FB2212094EB591166FB92434135D7260BE1D46072094979A1E8DE85F9EEBBC872468BB18579FF5023F91F033353E993DEB95D000AB077E7C93EC2E12E744F89559F8973DFAC0E74D667FF37A01B5CE9E35967A1315F4F82AE295247E71ED80F5A7A29B80908A2E8BE7BA31AEA21AAE04D7DD5CAA5992FCFAA46BFE882D476B025D} | |
| $m1 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m2 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m3 = {C15DB158670862EEA09A2D1F086D911468980A1EFEDA046F13846221C3D17CCE9F05E0B801F04E34ECE28A950464ACF16B535F05B3CB6780BF42028EFEDD0109ECE100144FFCFBF00CDD43BA5B2BE11F80709915579316F10F976AB7C268231CCC4D5930AC511E3BAF2BD6EE63457BC5D95F50D2E3500F3A88E7BF14FDE0C7B9} | |
| $m4 = {CD73F6D0D62478AC96A9CDD5505E4DF2A346B40D6EA53AF4261D39C3950C13BC104750057A5107509C8C912FD39976B6B85BBC30D3DD7B07D023EE4E19B1E06619C7F3F9C2037DE5AB026EE219BAEA3196085D30CBEEEDBFAF44608C4F460E76793BB01BFEBC69D407F5450A33D680A3AAAABE156290B2029212D9FABEB30705} | |
| $m5 = {ABD7A87FDA875D2E25CED8CD0521F9710336A4BA22C5CECAA0AD8B3AFDC7A17EBFA89101BBDD7514494568B17D5EFCA9AAD237D58CCA627DD0CF1CF7F0DFAF5CB316EABDE51802005DEF76F7B7C0A8BB909BFA964309C32C81FAE218716B658D8C762C3A9B6FD4BA67A1DEDEAF16FDA18ABEEDB723D92C371F9C999703359C06757548107A443320386E9D11BD8B5FA7C06C180CA7E98B8AEB71EE81EC9875E14BFB8F96CF6B4652AC3D3968686FAA15D680C7DF36E82E11C9890DA8223DE3009DFF2EB224CDC58FD91DB45089620C03C0025E8C35624F76C34AE4411EBB112E512A5D16C323E6B0663C71F853C8BCAD49A2E8610E717E6BC00C3AE00CD2DE01} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_D" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_D" wide | |
| $m0 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m1 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m2 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $w1 = "\\DosDevices\\AsUpdateio" wide | |
| $w2 = "\\DosDevices\\AsUpdateio" wide | |
| $w3 = "\\Device\\AsUpdateio" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EC94053FCF73BC5C7F19B12B49D2532360E1EAD7B47BD3785AF118ACADB05C7B890DA71CF48AE739AC2D5D797D5893048B7FD7ECF7CCFD22249954A1F227429C44FE6687EEB51F3E5D64490E42B3DEDE3CEAB98B38BF3EB735606281CF56DB43FC4779CDCF86D556E9F142FEC9ACF299E22732C140253CEEE705A59CFED571AF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\cpuz141" wide | |
| $w1 = "\\DosDevices\\CPUZ141" wide | |
| $w2 = "\\DosDevices\\Global\\CPUZ141" wide | |
| $m0 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m1 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m2 = {8876E09D91FBC8FEE57713F4F0BB906B31E1CFF22767DA6B1E26C8DA3AB3831AC040DF481A1AA93189D318946A17F2CEDD55E3B0AD05C73D22A0A5E80154B4D88D9C3300E40C014BF5E79E178AADE0A522029DDFEDDD4C75F0140222B83917BFDE7B396804668593D5F14349760A3AA5A3EB1EFE15F59075A56DBF182896501729E8536A734A7247AC3098B7A73BFAE5EFCA7567A3D226D5E730B30D59FB587545EEB6B273D7A6D98D48D4FFDC5327201893AD1383B98569EBF467FC465756F77DB404279B595763383EAAAEF0831541BD66A6BEBA3AA21B1F0E3ED25F0795BD8B089852087332C3552C6DD9F7E930CD01A50F3F8DB38E5CE268B632900049F3} | |
| $m3 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSICPU_DLED" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSICPU_DLED" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "NdisIMInitializeDeviceInstanceEx" | |
| $a1 = "NdisMRegisterMiniportDriver" | |
| $a2 = "HookNdisSendComplete\n" | |
| $a3 = "HookSendNetBufferLists pid:%d...\n" | |
| $a4 = "PassThrough kernel_nic_send %p\n" | |
| $a5 = "PassThrough kernel_nic_send loopback %p\n" | |
| $a6 = "init_nic_adapter error no ndis offset\n" | |
| $a7 = "kernel_nic_send AllocNdisNBL failed!\n" | |
| $a8 = "init_ndis_hook EnumSysModule tcpip.sys failed!\n" | |
| $a9 = "tcp ProtSendNetBufferListsComplete %p\n" | |
| $a10 = "DriverUnload Done!\n" | |
| $a11 = "services id:%d process:%p\n" | |
| $a12 = "CreateFileA" | |
| $a13 = "CloseHandle" | |
| $a14 = "CreateProcessA" | |
| $a15 = "WaitForSingleObject" | |
| $a16 = "LoadLibraryA" | |
| $a17 = "GetModuleHandleA" | |
| $a18 = "cdo_open no open_context!\n" | |
| $a19 = "IoCreateDevice failed!\n" | |
| $a20 = "IoCreateSymbolicLink failed!\n" | |
| $a21 = "\\DosDevices\\" | |
| $w0 = "\\registry\\machine\\system\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\" wide | |
| $w1 = "IPAddress" wide | |
| $w2 = "DhcpIPAddress" wide | |
| $w3 = "DefaultGateway" wide | |
| $w4 = "RtlGetVersion" wide | |
| $w5 = "kerNel32.dll" wide | |
| $w6 = "\\Device\\Tcp4" wide | |
| $w7 = "\\DosDevices\\Tcp4" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AE0051901C0274FA4D6322EDEF2FF7D1CC7F88A6F830FA9B21953A427799B887ACBA537A557BEF3677CEB6A075CA3C91F942B305C59C7CD60D9BA9F4824C71352B73134F7CC9DB2EB71CDA2DFE38BA90D075442EC7783A4A2EC5732C138139278E13E8B5C91B206F3B5DDFAB3855BD871710046C3C849C6760477A70C8952E1DFFFEAD14F55DEF82EB2F03B44196762467BA0C03ED322BC30B4576D5D4BB8C099FFB223FD2899C68DE000DB2F6D57ADC29600779DBB58AB1A869DAC451A5E975B0CCBCF139E3BD5C104DB5BB7B97593D58B8BFC2B0BBD4AD93C18E0E1E2A5F3CD4BB098FD920FE2801DC56554FA7E4FAB2C1178A7A6113870F2DA8F771A31C3D} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "!!!!Get NDIS Module Info failed!\n" | |
| $a1 = "NdisIMInitializeDeviceInstanceEx" | |
| $a2 = "NdisIMInitializeDeviceInstanceEx:%p\n" | |
| $a3 = "ndisFindMiniportOnGlobalList:%p %x %p\n" | |
| $a4 = "NdisMRegisterMiniportDriver" | |
| $a5 = "NdisMRegisterMiniportDriver:%p\n" | |
| $a6 = "init_nic_adapter error no ndis offset\n" | |
| $a7 = "EnumSysModule tcpip.sys failed!\n" | |
| $a8 = "OpenBlockSearchLen %d set->0x600\n" | |
| $a9 = "OpenBlockSearchLen %d set->0x800\n" | |
| $a10 = "tcpip base:%p TcpOpenBlock %p OpenBlockSearchLen %x\n" | |
| $a11 = "RootDeviceNameOff:%d %d %d %d \n" | |
| $a12 = "!!!ndis6 offset init failed!\n" | |
| $a13 = "CreateFileA" | |
| $a14 = "CloseHandle" | |
| $a15 = "CreateProcessA" | |
| $a16 = "WaitForSingleObject" | |
| $a17 = "LoadLibraryA" | |
| $a18 = "GetModuleHandleA" | |
| $a19 = "\\DosDevices\\" | |
| $a20 = "\\SystemRoot\\" | |
| $a21 = "Content-Type: application/octet-stream\r\n" | |
| $a22 = "Content-Length: %d\r\n\r\n" | |
| $a23 = "Content-Length:" | |
| $a24 = "Connection:" | |
| $w0 = "\\registry\\machine\\system\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\" wide | |
| $w1 = "IPAddress" wide | |
| $w2 = "DhcpIPAddress" wide | |
| $w3 = "DefaultGateway" wide | |
| $w4 = "RtlGetVersion" wide | |
| $w5 = "kerNel32.dll" wide | |
| $w6 = "\\Device\\Tcp4" wide | |
| $w7 = "\\DosDevices\\Tcp4" wide | |
| $m0 = {AE0051901C0274FA4D6322EDEF2FF7D1CC7F88A6F830FA9B21953A427799B887ACBA537A557BEF3677CEB6A075CA3C91F942B305C59C7CD60D9BA9F4824C71352B73134F7CC9DB2EB71CDA2DFE38BA90D075442EC7783A4A2EC5732C138139278E13E8B5C91B206F3B5DDFAB3855BD871710046C3C849C6760477A70C8952E1DFFFEAD14F55DEF82EB2F03B44196762467BA0C03ED322BC30B4576D5D4BB8C099FFB223FD2899C68DE000DB2F6D57ADC29600779DBB58AB1A869DAC451A5E975B0CCBCF139E3BD5C104DB5BB7B97593D58B8BFC2B0BBD4AD93C18E0E1E2A5F3CD4BB098FD920FE2801DC56554FA7E4FAB2C1178A7A6113870F2DA8F771A31C3D} | |
| $m1 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m2 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_6" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_6" wide | |
| $m0 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m1 = {BE2794996C4B3FA39C28F8E6124A05A5316441DFE0F087D59DFBC11259F88F8067D69B9F6046EAF084B1629A2CA0BF2498A31B4F181D1E1E952E870944256088967CA045958D071E9C135E8DC1CDCB66B8B3C65A2AFD3003055D7DA2CDBE8A1EB7889518CF35891488B3E8A849CE2A195C7D3ABDFC5EA01035D675B1FCD9CA35} | |
| $m2 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m3 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSICPU_CC" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSICPU_CC" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\GLCKIo2" wide | |
| $w1 = "\\DosDevices\\GLCKIo2" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $w3 = "ZwQueryInformationProcess" wide | |
| $m0 = {9F858C34C11517C023CCA419F75C719FCE26DF64BEB18379294E8298BEFA43A0787DFEF4FA904B2CBA3BAA1971F1731C17CCE63B884F96F60D85E6F3D355467D691887B1EE754409D1EBCB8E9E7F986CEA8816C37F42D4CAB224844226F7D042C1CE7A84DDF4C93C526D68C67754FAF67FDF24F3030C3A0FD9B9D6D9EC0419E485573077360435C983D921A6D9FC03F5C24C0DC642C162C9A3665C68EDD3EF210204FE6CE71672C04A64FE63D9DBAAEE236E2DF20584E8E57704C8AF270C6D93A987461C06A64B538033506FF328ED883659CFF72D1774F34129E7D09D33B620B09FD18C05BA2B1F19D10DD2B64BB60E8822E2924E845CDA212220AD22C26F37} | |
| $m1 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m2 = {B44A5E7D070F41DEC4F5761636BD71FFCF3F4F734B9CD10DFE4ACB57585E8516DD02155499F08F3C2F4D02781068C8D8354B3FC1F767CE981CAE33B92D1DA40A5493C485A2DF35B1F5F13CA7B334FB5D48C946C96244BC4899EB284953C33D8FC00EDE3598E96251DF3D6B4061EE0441DACFA75C5696D1F94CB74484879869E582B913E655BFC89270920A316F7F8B32ABCF6B5A9F62C43EEEBEED59A4537F0BF152888A7B0A6724CB90CDECD24D344CB0E1B59F9CC6F66F2CCDE6CA5374019F6735DE38492DCEED39448219794E1AB2B5FBBB78F04966A7CFFA5C9675928B1A72D9FF509253CC3EC24332091A8613693CFB8132333264757328261D08303B07} | |
| $m3 = {A3645DFC7CB3E08235E0E0F6C62AE649753BCC6EE053A99F1F6459E67C6B7F6B8C9D55F892E39ED55A635B024950D983CE6F66EEDDCB85E95FA5F9D4877488443B19C9E5F5919FC61439AC24EAA84B2C9189CC5E28F464B650B7F512B373960A67A3BE619FAEF3FD1278750EA65B14FD45238E8644557D1886058C5587794846F7CA0E8DA7DE4E5FE2A8B62D5902618861721868B9B87CEEE6E7342F317781301FBB36018DEF27E3F79AF04C31648DE3EBFA1987A87ECFEC8C0C365B7AC17AB878C7C9062E4610C88DE80460DBBC7374FA4ED8FEAA40F1B2CE704683E9DA40A1593AD915095799563093F3C961CCD008CC6BEC624291AC02C0EFA4F089118F77} | |
| $m4 = {E8822D99F9CAC24295A580734070D29E56545CA9C4D241068FC933FC4D45915C819FED2C9CF81659DF9EB52415C298B9B47749DC89C40ADAAFCB5E6BEDADB07131EBCF3A400C464D93EC8B7A360803AB0C34FE184982FEC7C73148807C1EA20F920E50C9C687EB363FD830C3FFA6F7FBA2CD6F7323FEAC560590F032211689C67088F905977DA3C743DD02E83B3DEDB141A3ED3FBEDB9548C4EE1EB3F2BC0C2B99D0C65D124281E1836E82733F264B1490AE59660AC48DBED2CE06AEAD846F48849B4F40B9F14CF2AF98FBF6CE405D5CF6A8F12FAFEC8922F26B1865B1C173ADD7F1D8CF1E0A745C42B8687EB7D5770A27567C0F62A43F32146095FD0704A209} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\BS_HWMIO" wide | |
| $m0 = {CDBBAA03BF9630FC7F729C17C4ED8D9199A1B6A452827B642CCF8FE37B6A0B03A58788CBE0C1F0FAE10AFFBB709C1E39CC160D30E51DE144EC4092A9266BB8D5677EDAFD5400C3CE3532069232074DD1C181E9E3BC4DE35FE6A68BCB320D7CBA3E7D28FD0CE4496856E92834D9F6C26C1C5981A33E9CC12929E0D88008C2336FCC9723D660E12CAD572F61341D56AD1A08729607B74B579418628F98F327035ECCD40B95A4648531AADED7669FD826ECDAEDB842CFAF77AAB4E22A7ED9224A99658B6C0BF64B3FD03A0E7DBC4FB6988BE36C98A6A039A5A8DE2689E0355DD4470E690A0136356562B0DDD40B599D964238EBB7B487BAE556262B3801CEF311AD} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "HW_MapTheMemory Entry it=%d busn=%d busaddr=%x IoSpace=%d len=%d\n" | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {D3D05B44E5BEA862E7FCA82518A486D3440CA00088E6F05E2C1E34CA845BE3DB2EFED2BF18ED6A062531685A39567657531C305F78EB505D968B726DF1EBD245F5A88C71601B44291E3732E55E59E24E60E3B1112507691FA407ED147D605856BA1571BF4B388A595B2E91D6CEFB5968FF5DA62D44D9954E93A2ABCF936126E7} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {B2502848DDD3687A84184466755D7EC4B89F6326FF3D439C7C113810255573D9752769FD4EB9205CD30AF9A01B2AED55562161D81EDBE4BC336BC7EFDDA337658E1B930CB6531E5C7C66355F058A45FE764EDF5380A281209DAE885CA208F7E530F9EE22374C420ACEDFC61FC4D655E9813FB552A32CAA017AF2A2AA8D35FE9FE65D6A059F3D6BE3BF96C0FECC60F940E707A044EB81516EA52AF2B68A1028ED8FDC06A086509A7B4A080D301DCA109E6BF7E958AE04A94099B228E88F16AC3CE3536F4BD3359DB56F641DB3962CBB3DE779EB6D7AF916E626ADAFEF9953B7402C95B879AAFED452AB29747E42EC391EA26A16E659BB2468D80080431087806B} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {8D30BD0529173C6CF73EE7B468D624011577DDB0B80CDD80D4CCEA5E85222E354B4055B46614267B83D0330704AE89A0A4610C094121D99D06917DBD9F6D672978C35704B2E755CDF03592D8F426E930C69262D70E12E29D1A58FB6015A0737B8D0DA2D92B9C6B38DFB76761AD1C15B412743F58DDEA0B87ACA5E5CDF9FE95386F92C17E20BFE10313A82064B20A63757AF32661BCC0B08B053F341F7C6C33CB8163443CDB3F4D3B96616D319AE899079B2BC29B3D418931FB24DC8A17939833CB3A7076E9753273426AACF4A23D8C6CB70F8CA6113F291AA65B12D5E0B3D7AB37CB2A3496FF762E4A89D9B8FB2A0326FF333436A0EB901E308AB43B4F320C61} | |
| $m1 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\AsrDrv10" wide | |
| $w1 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $w2 = ".Translated" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EFF813CA43D195BD645B01FC099DD99A44C4AFB0CB5D4E521ACDC1B74CEED891C9A2EA371DE16EC9A62D3988E018C0D22A2D6BF72C440B9C6BA277D27158975F136FAE88BE5FAF7B7BEDF49B61EA77086968FBAE43CFBAF93230DE4303D86F561572CD2A92143986595D8C347A2E6738F52EA1CA9691884BE506F8B0CFD6418BD0FAB6BB260FBB42947D184D6D38D6062EB24FCBF831355269660AB355AA9D94A12311F1B2C59148D9B80A3BCAC20D7018D3B1711D8AD8CAF44E82558A47D9C50CFDFC422C729A1E96237A2E10CC3E69702985FEEA04BF3AC9C289FEC334A6281C773B6FD090C1ED5D5514DB91A99654E82BC4508B10FE50EA23DB0E8E798211} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {DFD6E260D2EA13595D60652BCA50F0EAF4E63CA726D75020FD2E159CF335A6DAECA895EB1908CA97FAD3F017869CB9ABDB77CD26EF4C48D74BB8FE03C01797B52BC7D94D8EEA01D079494BD78A079C5836ED74E4AF339A0F1B8545C6647003ADF893798B8536885D9DB22C1B09E40A93E1F3A759A0C055828ACC831F941CE9D9} | |
| $m4 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "ObOpenObjectByPointer" | |
| $a1 = "ObfDereferenceObject" | |
| $a2 = "PsLookupProcessByProcessId" | |
| $a3 = "PsSetCreateProcessNotifyRoutine" | |
| $a4 = "PsGetProcessId" | |
| $a5 = "PsGetCurrentProcessId" | |
| $a6 = "IoCreateSymbolicLink" | |
| $a7 = "IoDeleteSymbolicLink" | |
| $a8 = "IoDeleteDevice" | |
| $a9 = "IofCompleteRequest" | |
| $a10 = "KeSetSystemAffinityThread" | |
| $a11 = "KeQueryTimeIncrement" | |
| $a12 = "MmUnmapLockedPages" | |
| $a13 = "IoGetCurrentProcess" | |
| $a14 = "PsSetCreateThreadNotifyRoutine" | |
| $a15 = "PsSetLoadImageNotifyRoutine" | |
| $a16 = "PsRemoveCreateThreadNotifyRoutine" | |
| $a17 = "PsRemoveLoadImageNotifyRoutine" | |
| $a18 = "ZwUnmapViewOfSection" | |
| $a19 = "ZwCreateFile" | |
| $a20 = "ZwTerminateProcess" | |
| $a21 = "ZwQueryInformationFile" | |
| $a22 = "RtlQueryRegistryValues" | |
| $a23 = "RtlWriteRegistryValue" | |
| $a24 = "RtlCreateRegistryKey" | |
| $a25 = "ParseCommand caused exception" | |
| $a26 = "ObGetObjectType" | |
| $a27 = "PsAcquireProcessExitSynchronization" | |
| $a28 = "PsIsProtectedProcess" | |
| $a29 = "PsReleaseProcessExitSynchronization" | |
| $a30 = "PsResumeProcess" | |
| $a31 = "PsSuspendProcess" | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B78BCF755B9F25DA7E39B093DB38D3A923D082FAE9247E5C0B8E83F8E67A59E6A3C598A799D244FF00A6A539048ADA2988EADBA2F31C991526C2B1F4FCE10C47A90911060A2092B9C7A0048C5C9419AB5B252C1D627E700DCE616CDD2B82C9CE5D485FF7C2BEBC41231E4F295DD74FBCF4C52AFC63E67C264E99A779419E104A7A79C9C686F78695D226CE3C182AD67CCEAFCDADBBF7822C70263745E50F4722C60128BD2E835C6AA447C1E7D0D86B81463F2117F507C5435AA6672CB87B6011B583EEF5740A7271443D58FEE81AAB38C359DB7F6E387D76C7726998369657D3661CD25491042E5419B0DC3DB5225E86D52A7E20DF5DE67AB165FEC5024E312D} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {905C48FFC7902AF3CD15976223D457B70C10430D8E18CBAC81A10363083BEC6F754C4ED4EF60DF5A24872EED6F39E238600D95F9299B36525FA57AB5BDAC368C955151AA77B5457F20FB07994FDF720A7452DAC5233B19614C3B46AFBDD7CA130872746DE0726E0DBC2AF803E73673EBFD04198B3E818546870D07301020FA4F6298451652D7DE463AC28CA3E423E7C764DE4E32874898046C685DABC8D081BC133E787DC2195C735FB61EF6AFADF68B5CC14521BB2203DC0C78258819D68CF6DCC9668EB1332E004B2930F65CF0E97EF2A4C8F4901AED377E4B8F9E415244FD228B91249B26BEF9DDA8842E42E2A2CE5FB57F7F5FABB15F5AC2B289A84721AD} | |
| $m4 = {ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "\\DosDevices\\WinFlash" | |
| $a1 = "\\Device\\WinFlash" | |
| $w0 = "\\DosDevices\\WINFLASH" wide | |
| $m0 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m1 = {B2502848DDD3687A84184466755D7EC4B89F6326FF3D439C7C113810255573D9752769FD4EB9205CD30AF9A01B2AED55562161D81EDBE4BC336BC7EFDDA337658E1B930CB6531E5C7C66355F058A45FE764EDF5380A281209DAE885CA208F7E530F9EE22374C420ACEDFC61FC4D655E9813FB552A32CAA017AF2A2AA8D35FE9FE65D6A059F3D6BE3BF96C0FECC60F940E707A044EB81516EA52AF2B68A1028ED8FDC06A086509A7B4A080D301DCA109E6BF7E958AE04A94099B228E88F16AC3CE3536F4BD3359DB56F641DB3962CBB3DE779EB6D7AF916E626ADAFEF9953B7402C95B879AAFED452AB29747E42EC391EA26A16E659BB2468D80080431087806B} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {C6DE36C5D534A9EAAD3DA84E16AE0B09F2365D2BD0331521AADE933E5F85BD408EAD6D3BC503410803B50BEBFBCD791455629100E356F2A8148BAE1516396FD7D471BC75CDF3D71581983C26026CCA27F71E9495106E82D2CF9F1C2DDBF70D4036EA97F5048F9D7DE932D5526A0FA7FC9D19283DE6E682324EBE1BD4C44016EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_SuiteFB" wide | |
| $w1 = "\\DosDevices\\NTIOLib_SuiteFB" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Irp->CurrentLocation <= Irp->StackCount + 1" | |
| $a1 = "Exception in IOCTL_SEMAV6MSR64 writing into memory \n" | |
| $a2 = "Exception in AccessMSR while calling __readmsr\n" | |
| $a3 = "Exception in AccessMSR while calling __writemsr\n" | |
| $a4 = "Exception in AccessMSR while calling __writemsr to clear\n" | |
| $m0 = {C7A32CA56777670FFC18D090C6242C842B37254F34563A1247A2F0DE1460C611E10AC4CC996B798DDEC0B92ED405E3EC00724FDBFB4D72AA76A59C393F1D8B76BF334490361AEED467485F84F76DF246E7146D732CE093F05C7F0BCE6A814A901F64A1F655398C355DDB2EEFC9468C33CEE6213ABFD1246A0CD9D51CED832CBE7323A19E7E1AC8A7BA5B7BDF6E2E7C754FF0D8A2C18133C77728A64946F5A8F8A6293B6E9EB5A78157282699306AD1E301FFE03B262434F31F86C59A9214D2D8C0521C05451376AD02F2624B5DD87A3885EF8739C0133116B20FBDBE5C807DA79B49C2B829563A0E54E7960568065AE5713B68A9F0E7767E94B93A927AC4A143} | |
| $m1 = {B00093AEF2CA6CA64DCC48BF4A23FC2A9BC86EED0B8307B13C67397562806D10D1A8F0D6A733A098D885FA85CF0AEBC9F5BD9B0BB4F7B8B3C164E39F603FD04B2D9C3FBB3E1FD68B8A68A89371FE30D2E597ACEF208615EAB1F76E437F6DF3009E73A7D7A1D4A358DB6D61C2BE516AA324FA6F802732A012D87C9CF64658B6C81D616A05AA85F728E10829CB02A4DF73762AFB1DAE98BFEBD87F091A623BBFB10E06CB8C8CE2EACC4581B295E3FA87F4A817EAECBF080F7FB1400F4F7BBCE9B6AA33E264C6436F12AE18A972041AE5261013F7E12B5150B0169C5219160A240A06BB26DDF01AD31D5E31ACE0C4E72AB3FB189FCAD305C79DDD6F6A69A9B27E85} | |
| $m2 = {C2B88495422DDCB0AA98939BB3EC83A163C317922A81693A9A82286D88CF7DEC6D662614E88DC47EF030A0DC4F0E43765A8C1CA1C5193096C4784AB979B064B059F17F5DA0071948562218C19033BBB685BE10CCC8F2902370BC086D19482F40059D44DEE99D037084B9E34E98FFD30A136A0A5DB7F811B541BFCF264A403BE19FA56495853715E7731FFDC2AF14772318DAF1CDD4A8ABD7F25BB6BA81F7061106342D5926C055947C9D304FC91A78BAF4134B68CE421FA34D4A356373BFA35C60FF3440E0510E50295AEF4E0E61152473C36E5C788F34D0DC92DAFB80EF04D3A35543A9FA68119A3896D2B2DDAF1C0EC48A883B0363C1E302A7F860C57FE14D} | |
| $m3 = {C451A8FD2FF8195CE8997A319A4693624CE7625B25A497CB400310F7993CD9D671CCF38126DCD53F5968A69E6479A527C041CC98F6C8244089C4A12A5B47200912F0FFCC8E64BEEED1015FC7A0FCFC9C5619BA515DBC3AC5CF0FAAEAE0EDEA1E64DDF31993A14BE751905B3202B405BB595CF0C217A4C88992B55744DABC083C4A133372CF04DA276FED76C92852493861CBAEB7708A2D8858A8116303818C32A2D320C22ABB602872011BC2D3F8CBFA1E3C3B75663B888F4F623E6D3AA970B78B66924D8DEA9CE1E4FC845C11B18531A7746DA49774B68F3D8B7CEFFCC198CFBCD8AA214C9249C7E2C7A3F73494B7142F1C09E4BADED4D367382D023FB238E6E0F43884190F95A0EF0C70EE38CC836567791B409CBBC4C94A90B9C6040A12D1C591381C4701550C4A55AE344A88A848401059C809CC9E67800B20BA5369A15F008A9D856CC9B672A2C31553FBD38CAC6E4C3D015A12751A35EEB1FB440E4338CF21549FF54A031FE1C66BD78C6B9B3D2BC76FF0158AF1C0A4F625EA5B332DD3268C457A16126CE5941729B8416033DA4960358F97FE8231B28BB423648434F664561BA2578962AC4239AC07A9FC68E1FC3E165DF1C46F082952D3AF4A8BF37C80D3BB568969F65A2AC3B32C48CBB7DF8BAF041D2D41B639D77941D3C6761A50398E87849D4E7CD33570E562AFEAAAC75350713B3D455261FFB9C1D73A19BB4D} | |
| $m4 = {98732EEA81FE53070EE2E06EB32DF83A56A8847928FF191F13594F527A42642B90D89C1EDF22305726A06B4A6F46E6F4E3A218E347FE3128404DEA67BCF8B600BAB32B213FF34941365A897D6116E4D560DF061D91B1A887D4B05FEEF31C7F4E13D61704EE70FA28D794D93B3948A6DB0F53BD6D0E02D35DF461FC222268DADCD1EDBB85F42B2220B381D1CDC2EEA29926C6C12988D9E887B36755F94E4A66E4B814FA4431A03C1BE7FEFC24DA882323602ED9ACAAD9E44256EE1AAA686C70E493B5C9C0A868F79490BAF25376A44D983ADB5B6760D1144830069D41F4BF34691166FF18ABEC03903462164F8AB019EFD39A84BFCE47DB383DA04F55C025956D} | |
| $m5 = {B7F71A33E6F200042D39E04E5BED1FBC6C0FCDB5FA23B6CEDE9B113397A4294C7D939FBD4ABC93ED031AE38FCFE56D505AD69729945A80B0497ADB2E95FDB8CABF37382D1E3E9141AD7056C7F04F3FE8329E74CAC89054E9C65F0F789D9A403C0EAC61AA5E148F9E87A16A50DCD79A4EAF05B3A671949C71B350600AC7139D38078602A8E9A869261890AB4CB04F23AB3A4F84D8DFCE9FE1696FBBD742D76B44E4C7ADEE6D415F725A710837B37965A459A09437F7002F0DC29272DAD03872DB14A845C45D2A7DB7B4D6C4EEACCD1344B7C92BDD430025FA61B9696A582311B7A7338F567559F5CD29D746B70A2B65B6D3426F15B2B87BFBEFE95D53D5345A27} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $w1 = "\\DosDevices\\AsUpdateio" wide | |
| $w2 = "\\DosDevices\\AsUpdateio" wide | |
| $w3 = "\\Device\\AsUpdateio" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EC94053FCF73BC5C7F19B12B49D2532360E1EAD7B47BD3785AF118ACADB05C7B890DA71CF48AE739AC2D5D797D5893048B7FD7ECF7CCFD22249954A1F227429C44FE6687EEB51F3E5D64490E42B3DEDE3CEAB98B38BF3EB735606281CF56DB43FC4779CDCF86D556E9F142FEC9ACF299E22732C140253CEEE705A59CFED571AF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $w1 = "\\DosDevices\\NVFLASH" wide | |
| $w2 = "\\Device\\NVFLASH" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {DDF4596D838BBB41764566046042B37B1AB572D2D7A44FF814A893326FC5ED604C44AA5DE7D69EA20B2607B4FF89FB3A20B39E2898392BB4B05BF297C00444912146E7112E41E7FDD4888A5BED5FC26B25E504B3A594B52541BBD673A75AB163FE315D1F4ECD82B13247C12B7F5B99B024D78CBD33A631BB75ABF01A2AEF667DF6D3B85FAE018642AC1E3354223C58977DF69A0ED9D0FE6B24629014C7E0FEC032403A2B5748AB1CB2FDFDC6316515C255BA035096A4B98B6BC0353198D7F2D5D738568AE256F6E7B9E23D63EE59528CE3D9362B8B98EDE6D3ACF7FE425461474B1CC11479A93242457C749021E8F244947E9A6C7DD617BC8FD68E87A079309F} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\inpoutx64" wide | |
| $w1 = "\\DosDevices\\inpoutx64" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {920054005E215673028E8E5E748C6A8E6B71A5EC94EA0BD17877A60A83CD965B4DAB3182B798561010A5256D58621C1EEC928935CB35FEBFCB106778C8725C735DAAD2FC354BA2DA5543E56BA75455BCDFE7791BB5097BE46B924E41AE79291D5E8F6DEE17612F57E0BFECF08854CE5F6F699BD3A8D93EC6CC1252BBFF5F42E451405C56CBC3BE8719827576EC439A158CF312320D1A052104E614E6546DD41A65C8366DDF00B3629281604789C31CD2E0331E5BFC901CBB5A291FCC7C06AC5E2526565A2B032DBD7B7BAAD9F8798703933BA8287C60B9AD27C4F6D6225BABD5501D1F29FF60D865B0EC1F4D525BC45560C7AA1B87AAEDC8D59472C6E7ABE007} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "ReadMSR - Exception 0x%08X.\n" | |
| $a1 = "WriteMSR - Exception 0x%08X.\n" | |
| $a2 = "ReadPort32 - Exception 0x%08X.\n" | |
| $a3 = "WritePort32 - Exception 0x%08X.\n" | |
| $a4 = "ReadPort16 - Exception 0x%08X.\n" | |
| $a5 = "WritePort16 - Exception 0x%08X.\n" | |
| $a6 = "ReadPort8 - Exception 0x%08X.\n" | |
| $a7 = "WritePort8 - Exception 0x%08X.\n" | |
| $a8 = "Bus - %d, Device - %d, Function - %d.\n" | |
| $a9 = "CalcBaseClk - PM Timer was not detected.\n" | |
| $a10 = "CalcBaseClk - APIC could not be located.\n" | |
| $a11 = "Error detected in ACPI function, error code 0x%08X\n" | |
| $a12 = "RetrieveAPICAddress - Exception 0x%08X.\n" | |
| $a13 = "ReadMemorySpace - Exception 0x%08X.\n" | |
| $a14 = "WriteMemorySpace - Exception 0x%08X.\n" | |
| $a15 = "GetRsdPtr - Could not allocate buffer\n" | |
| $w0 = "\\Device\\ALSysIO" wide | |
| $w1 = "\\DosDevices\\ALSysIO" wide | |
| $w2 = "PsGetVersion" wide | |
| $w3 = "RtlGetVersion" wide | |
| $m0 = {C30CB7120D4D688A33DE3605F03CBAF5DACD0E537B469F82F26213D7C177ADBB81377E4F1E9381C10622DA1D5084C6979592A993B63DAB867919547D0E16044CC488972CC6A1A85F153AD2642BCC3E0C7AE8A456B11EBBCF84CE8D353A349C6C2DC077B530A91F67E63A09443A437241A291C3469A1FB6B9A70FAF1C751B6425E7086C1447F5471ADE8EEAA263957DF5A8AD55A2649B726FB902733F398A395CC4FE8FFB119CBD10194963D043228BD6AB92997414CF3007BE4FBDFD8A8F9E5ADF6D3CCC5A995090B9ADC29743C25FEDCD333D87CCC1A05BA9623B787D64A3AC4D1F2BD703116C71548AB0ABB11CD67D23DB40073726DB50AF383DA607756F97} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {CDC23D5D7722D0C27D3832C315831F426A3B5366DD6A36440D69CF688D89459F7E2FEE423A337C3E00D3976AD85AD5C34D920A5F0650FDBF6CC403A28260D8ED522E1374DE97C645217B55F6EAB16403FC746BB25FC76C6C43148A241037499581D24812A5A2764950217FCA85730A3C5DB52EAD90AA5E4D32CB1793D97F96C0C0896556D9C5B13F981B27FA49EE1D1BCB068C301C3BC5A7705BA8AB185AFEC8F68EBF015D8F6198340F5851FFDF32EA54651C142B6CFC0C901967ED9BD9DA639BD65A24A3748E082300A192B51E0BD108A0667F921BA3ED806402498FB684EFD1558E5EA9975AC50802889456BF92EB2A2D063592B5373631ECC3FE7A3BC285} | |
| $m3 = {F4DB1BDBC03EACF6BD8227495DEEC01FD337FA837B29045AF03C1C3301182175A96574A38C47A10C89E7679BE4E46DFD8149623C82CCB6877E7D7AB2496871B602C1E055819841AD8A5DA26C17C23DBA8640986BF6712ED5BFD7CEA4E0EAC74E592C43AEE18BDDD0F135959BDE97BCE28120E95BF4F15380EDC6E18A27C9DAB601FCECF309868746B507B0785A50E90A97E52A27615C13702BD50836487C9949393BF02AEC7C9CCAF2DCF415D0270D274973AFAA4409C900743AAE19F677C1CFC76C65CF5F3FB1275DD93D0DCC792471A301B096028A07C8D4AA9464EDCB58FEE0D468DBCD0AA25F5FA257298349CD7E186B74B21E1E58618F785008D06B45D7} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\PanIO_1_0" wide | |
| $w1 = "\\Device\\PanIO_1_0" wide | |
| $m0 = {94EF65F8B5579FA0530D3406EB091FB747186ACBF05BE4FF27A534D1F7891ABF9EB1CD12416E66D481A0858B645A462F99A08D77B1E2BC5CDD22D76A67D0BBE8CA74DE8B4F0DB052E5905BEB470EF1E79F9C0B90653E17963045726D39A11736CAB9A08C1B4F0819F68131AD6116A462E6B4409EC3FCFB95F6FBB52E958198E0EFC5EBD802597877F7AAE3526B509129C5FCF7CD9365D2606122F206FB32DD1651FA0EFD8A30F01709A7BBF304AEAB90E76CDF7AA9F4EFC462275F6F996D3874AA118BDADFC7144CE985B2ECC27D4A268FE756BAA6E0CF92538074F403EC68B260BC842000831BA1EEB47405C1298E62D047B1FAF053CC18F92E3BF9707EB425} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {B017AEA2D3B60430561E580FB1ED55A4D654CBD8F6733AEC5D5EAB25FD36A5FA84C36140C546B559523B42A22E5F136210A95BE673D69225B17D23E306B3873A0E43F0D7008953A2113152286E5D40723CF20977A7499297D46C90A076A7FDB8DCB39DF207602C4F5898006BD31554E0FADDFF802C5F18A698FFD4ABECA14559B22E6F625DE0D919AC8B579CA8262BD917A510D247081A702C338B7F68802AB5A15D6BDD8D02022903AA7C37BBBB294E3D5393B3A6FA8FD25893154CB92DAB80A3A325FBAFF70864B07A440F5C10D75F6137AA4E6BD3D253259D8273FA2CF972B0A919392A50FAA9D03C3ACAE85BEFF55F51F4F90AD99735DE6A85E6230442AF} | |
| $m3 = {E8551803EE0203C0E49106851D4B105ED1FCC6FD8C261DFA95C32B7001B841A9102F472CD10210508E3E399AF82C7BD488EC127B436D9C94692DF18D6DF48D6803F3DF7E55B8ED517DE7C6E7D50945F229115B2899768DA607BE26987265BAE0A51107D13A70C26C7A338FAEB4E2DB7E8C4E481299CB1B6147CDB87C2255D774C381DD345E62B52FF3023EC788F9980AE773CB87EDC4331F6EA51FF03C1DF97FB1EFF3E89F11B8FBF107DF21F7E1E2E0EA3078008034B3D9236026D4FA873DC802AC7820EAFE879A51E7CF5BB526FB77F8CA80293D922F9146D0567FC93584B4A0BC9D51DE2E7043360F730E4A73A04E4F01C579F9F19AC33433BB00AD558387} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Unknown" | |
| $a1 = "Phoenix - Award" | |
| $a2 = "Phoenix-Award" | |
| $w0 = "\\DosDevices\\BS_Def" wide | |
| $w1 = "\\Device\\BS_Def" wide | |
| $w2 = "\\DosDevices\\BS_Def" wide | |
| $w3 = "\\Device\\PhysicalMemory" wide | |
| $w4 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m1 = {B2502848DDD3687A84184466755D7EC4B89F6326FF3D439C7C113810255573D9752769FD4EB9205CD30AF9A01B2AED55562161D81EDBE4BC336BC7EFDDA337658E1B930CB6531E5C7C66355F058A45FE764EDF5380A281209DAE885CA208F7E530F9EE22374C420ACEDFC61FC4D655E9813FB552A32CAA017AF2A2AA8D35FE9FE65D6A059F3D6BE3BF96C0FECC60F940E707A044EB81516EA52AF2B68A1028ED8FDC06A086509A7B4A080D301DCA109E6BF7E958AE04A94099B228E88F16AC3CE3536F4BD3359DB56F641DB3962CBB3DE779EB6D7AF916E626ADAFEF9953B7402C95B879AAFED452AB29747E42EC391EA26A16E659BB2468D80080431087806B} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {C686A3DA1EBDA81576729DC01D9D5EC87BC73D2BDF5B78872FA0E76CE1B9F0EF6CB1439A11B8FB0707792B7C5CFA7586AFC259297381B5C1CEFEFE95218C503710AD69A389F4FF32496303388E53288A6A86421FB946670662FB1B1548E17946BE9AA77A1391C4DA15412F46D188DF37543B7E1C6C3899E7CB4DADE75C623E81} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\AsrAutoChkUpdDrv" wide | |
| $w1 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $w2 = ".Translated" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EFF813CA43D195BD645B01FC099DD99A44C4AFB0CB5D4E521ACDC1B74CEED891C9A2EA371DE16EC9A62D3988E018C0D22A2D6BF72C440B9C6BA277D27158975F136FAE88BE5FAF7B7BEDF49B61EA77086968FBAE43CFBAF93230DE4303D86F561572CD2A92143986595D8C347A2E6738F52EA1CA9691884BE506F8B0CFD6418BD0FAB6BB260FBB42947D184D6D38D6062EB24FCBF831355269660AB355AA9D94A12311F1B2C59148D9B80A3BCAC20D7018D3B1711D8AD8CAF44E82558A47D9C50CFDFC422C729A1E96237A2E10CC3E69702985FEEA04BF3AC9C289FEC334A6281C773B6FD090C1ED5D5514DB91A99654E82BC4508B10FE50EA23DB0E8E798211} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "(MAPMEM) Buffer size error\n" | |
| $a1 = "(MAPMEM) ObReferenceObjectByHandle failed\n" | |
| $a2 = "(MAPMEM) HalTranslatephysicalAddress failed\n" | |
| $a3 = "(MAPMEM) physicalAddressbase=%8.8x %8.8x\n" | |
| $a4 = "(MAPMEM) physicalAddressend=%8.8x %8.8x\n" | |
| $a5 = "(MAPMEM) mappedLength.LowPart == 0\n" | |
| $a6 = "(MAPMEM) ZwMapViewOfSection failed:%x\n" | |
| $a7 = "(MAPMEM) physicalMemoryHandle=%x\n" | |
| $a8 = "(MAPMEM) virtualAddress=%x %x\n" | |
| $a9 = "(MAPMEM) memory successfully mapped\n" | |
| $a10 = "\nInputBufferLength=%x,sizeof (ULONG) = %x" | |
| $a11 = "\nOutputBufferLength=%x,sizeof (LOGICAL_MEMORY_INFO) = %x" | |
| $a12 = "\nSystemVirtualAddress=%x" | |
| $a13 = "(MAPMEM) UserVirtualAddress=%x %x\n" | |
| $a14 = "\nLogical_Address=0x%x %x" | |
| $a15 = "\nPhysical_Address=0x%x %x" | |
| $a16 = "\nReturn Length=0x%x" | |
| $w0 = "\\Device\\ASMMAP64" wide | |
| $w1 = "\\DosDevices\\ASMMAP64" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {BDF6AB4452A4EC220B0F20962B1967F9A7842FCB65B7229A2A5012D5FD71C692BCAB01B4D30687AD4E3E78598DA8FA0E7200B2EDD68F98CEF07580256D210B9429544737EDC8E87271952099D9707ECF5345508D8502E91970F3969688B6AEBC212F5642BE986DC5BDA25050D05B03755E5B5D9EA940B1595B61339A48A457F7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\WinIo" wide | |
| $w1 = "\\DosDevices\\WinIo" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {C188DB09BC6C467C789F957BB53390F27262D6C1362022245ECEE977F2430AA20664A4CC8E36F838E623F06E6DB13CDD72A3851CA1D33DB4332BD32FAFFEEAB0415967B6C4067D0A9E7485D6794C80377ADF39055259F7F41B4643A4D28585D2C371F3756234BA2C8A7F1E8FEEED34D011C796CD523DBA33D6DD4DDE0B3B4A4B9FC2262FFAB5161C723577CA3C5DE6CAE1268B1A36765C01DB741425FEEDB5A0880FDD78CA2D1F079730012D7279FA46D6132AA8B9A6AB83491DE5F2EFDDE4018E180A8F6353168562A90E193ACCB566A6C26B7407E42BE1763EB46DD8F644E173621F3BC4BEA05356256C5109F7AAABCABF76FD6D9BF39DDBBF3D66BC0C56AAAF9848953A4BDFA75850D93875A95BEA430C02FF99EBE86C4D705B29659CDDAA5DCCAF0131EC0CEBD28DE8EA9C7BE66EF727660C1A48D76E42E33FDE213E7BE10D70FB63AAA86C1A54B45C257AC9A2C98B16A6BB2C7E175E054D586E121D01EE12100DC6327F18FFFCF4FACD6E91E83649BE1A48698BC2964D1A12B26917C10A90D6FA792248BFBA7B69F870C7FA7A37D8D80DD2764F57FF90B7E391D2DDEFC260B7673ADDFEAA9CF0D48B7F7222CEC69F97B6F8AF8AA010A8D9FB18C6B6B55C523C89B6192A73010A0F03B31260F27A2F81DBA36EFF263097F58BDD8957B6AD3DB3AF2BC5B77602F0A5D62B9A86142A72F6E3338C5D094B13DFBB8C7413524B} | |
| $m3 = {D83AD54F9D5CF3C20D220A9508AC39139F531862F9A62B698E9F1937A2B7BCC06F9A8EA309723B7B0A98135B1950D7E29C78C0C217E2EC7AE904F962FF11B6D55B716C4619E00238C2DCBA7276D11018988A68E2986E48CA4AA6DC2B1C0306DBE87C4D123F62608B9270F6F113A2C4651CBF6965D5C010D09C09D4FE4C922AAD3EACD0D691A438EC6B986BE7808EEA6ABDD3C326D080EE6A37B76F3437B941DA06E8D1D137EC7221A736B2A5E1DBCB09EA4A26243929043A8AEDFE4A745B36B7CD4D726B959D901DD30DAD0C2CE3FC67E7B101AC4C32FB5B3A3283D067550BA5FCC998300377FCA33CAAC00DE0F35059BF7961847D700D943543AA6CAD3A56BF} | |
| $m4 = {F50F82BD648623A5E8AA4E3DECC0AF19EC7037337D04BBACD1C31036350DFCA528A7AF23D99DB13539E8A7910FD1C9F7F5638DD0CCCF1CC1DFF4C1E7DEAF7F34BD2825EB5F96AAE907C9E981BCF27FEA299FC53D68B7FDD1CEB2970A129F33527346E7E0A5CFDDE4E19ECA35909F52BFBAEFB85F415EB78B3FCD7C492DE2D8C608BE5DB46AA868217B019431EE2B96DB64FBB41BBE1F807F3B421B037FC42E1B028ABBFD4A2547798C3C6FC3EE6B38EB39FFFC814C348F9B9FAE393A65CD5F56C047C1020EEB6CA7FE0A6A067EA9373896CC5C5C260961F86FC540BB89405AD6BA4646B8DFE8CDAD8D65993D67E4BEE11DB4B66A0CF5A3B620FF063CE058AFFE7FC1CE39385CB829D9EE3C3A17E16AF77216ABFBC11D98C5F83901949AD70CE3907D1A48297688BD456C4FC9284EB7564D81FCAE6A05E4754A85ECB138355083B3ACCD48CF676125242C4B379618C462EF406FAEE55B859620C3281720C6E932D339562AE969EF69912C00BECCEB62DBECBFD1B2A4B43464E48F0F4F88DDFAABB69F883C2F8D4F41DBB37953B503EF05A0B32EF606380C7C5DE0A417671429EC06422AB9A92D1D3F2C128BD6B44E279AC8ED70FD85778A928F10EE72523E9E7EA7EEA7CBF21B59F0873B7E6187DCF9236854EC9F7BC21B1267D2EEB6CB1A4573894FA402CA938D5E0599DFD27E735616C3A8F6FC650632EF695BE217F1DEF8DD} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_a9706e320179993dade519a83061477ace195daa1b788662825484813001f526 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSICOMM_CC" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSICOMM_CC" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "IOCTL_PHYMEM_GETCHANNEL\n" | |
| $a1 = "IOCTL_PHYMEM_SETCHANNEL\n" | |
| $a2 = "inBufLength=%x outBufLength=%x" | |
| $a3 = "IoControlCode = %x" | |
| $a4 = "Call to MmMapLocked failed due to exception 0x%0x\n" | |
| $a5 = "Map physical 0x%p to virtual 0x%p, size %u" | |
| $a6 = "Call to ExAllocatePoolWithTag MAPINFO failed\n" | |
| $a7 = "Call to MmMapLockedPagesSpecifyCache MAPINFO failed\n" | |
| $a8 = "Hardware ID: 0x%08X\n" | |
| $a9 = "!!!!!!SmiPort=0x%x SmiCommand=0x%x SmiSubCommand=0x%x!!\n" | |
| $a10 = "KeActiveProcessors=0x%zx" | |
| $a11 = "SmiResult=%d\n" | |
| $a12 = "!!IOCTL_PHYMEM_GETCHANNEL\n" | |
| $a13 = "MutexType =%x AddrRegOffset = %x AddrRegValue = %x\n" | |
| $a14 = "DataRegOffset =%x DataRegValue = %x WaitTime = %x\n" | |
| $a15 = "!!IOCTL_PHYMEM_SETCHANNEL\n" | |
| $a16 = "!!IOCTL_PHYMEM_INFORM_FP_FW_S3S4S5\n" | |
| $w0 = "\\Registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Power" wide | |
| $w1 = "HiberbootEnabled" wide | |
| $m0 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m1 = {B2C903159C2CCD4711FF52F322EA54BBA49BE1E9E1230130264D25CD4AB95B0B79625B9A7B70A16226430B51060D58145DC6B24BF5C9F20AB4F6A12C6EABFF2A819A1132FA0EF5F9ED9FA1E0017E916D2B016AA9E82DB6144561235B1DE77004003A398900477A522978C287894D7DFE7764D2201CBD0D403A9310820D43CDB921B86D1B8ECBB7374E758DD0678B821EE55542B617417393FA6755C1B81FA5969C60C34318D527D45F86FEAFDC95111862BE2CA9D308B8CA264E23CC2A0DF0F69557FCC7F3E1BB046D7BDE904A6C61798CA3FB70231E302C240645FF941B76A1DEC66764C85AB8E646D5134BB3D660204B8F0949359DD4FFDD4DB3EF3D3BFCBD} | |
| $m2 = {A3645DFC7CB3E08235E0E0F6C62AE649753BCC6EE053A99F1F6459E67C6B7F6B8C9D55F892E39ED55A635B024950D983CE6F66EEDDCB85E95FA5F9D4877488443B19C9E5F5919FC61439AC24EAA84B2C9189CC5E28F464B650B7F512B373960A67A3BE619FAEF3FD1278750EA65B14FD45238E8644557D1886058C5587794846F7CA0E8DA7DE4E5FE2A8B62D5902618861721868B9B87CEEE6E7342F317781301FBB36018DEF27E3F79AF04C31648DE3EBFA1987A87ECFEC8C0C365B7AC17AB878C7C9062E4610C88DE80460DBBC7374FA4ED8FEAA40F1B2CE704683E9DA40A1593AD915095799563093F3C961CCD008CC6BEC624291AC02C0EFA4F089118F77} | |
| $m3 = {B906741C5DB420AAA921A82A4246AB25201725CB228F90A2A0316B830575AFB20E7C12497B6A8664840F83DC64B9B16E16053E1C95B9E7E7886DB862819079D4DDF5E296F9C3B58823574A1ACF7129E908008FB598E3A732FDAC2EB8F49353F40A394391AFD56BE8D49F46BD8E3DABE2F92BD4EA00406624B7E87FB444758D789AAE31C137CF4E1F5BF8454AD73FC2C9920664BEDE068AAFD0E88AB1F02C88006F0BDC85A74CCB06BFD62E2A326E2971AF8E22F30FD0D898482DA808CBB68B23C263E0B673EB6F7D264F8BF7343D37860CB77827F4C286DB436B5AF83D3DF4E8B06256C6E7ED78A1FBFD7A724F3265C47CC3C477A0043232ED8F3FAF86DD7ED1} | |
| $m4 = {E8822D99F9CAC24295A580734070D29E56545CA9C4D241068FC933FC4D45915C819FED2C9CF81659DF9EB52415C298B9B47749DC89C40ADAAFCB5E6BEDADB07131EBCF3A400C464D93EC8B7A360803AB0C34FE184982FEC7C73148807C1EA20F920E50C9C687EB363FD830C3FFA6F7FBA2CD6F7323FEAC560590F032211689C67088F905977DA3C743DD02E83B3DEDB141A3ED3FBEDB9548C4EE1EB3F2BC0C2B99D0C65D124281E1836E82733F264B1490AE59660AC48DBED2CE06AEAD846F48849B4F40B9F14CF2AF98FBF6CE405D5CF6A8F12FAFEC8922F26B1865B1C173ADD7F1D8CF1E0A745C42B8687EB7D5770A27567C0F62A43F32146095FD0704A209} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_1" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_1" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {BE2794996C4B3FA39C28F8E6124A05A5316441DFE0F087D59DFBC11259F88F8067D69B9F6046EAF084B1629A2CA0BF2498A31B4F181D1E1E952E870944256088967CA045958D071E9C135E8DC1CDCB66B8B3C65A2AFD3003055D7DA2CDBE8A1EB7889518CF35891488B3E8A849CE2A195C7D3ABDFC5EA01035D675B1FCD9CA35} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $w1 = "\\DosDevices\\Asusgio" wide | |
| $w2 = "\\DosDevices\\Asusgio" wide | |
| $w3 = "\\Device\\Asusgio" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EC94053FCF73BC5C7F19B12B49D2532360E1EAD7B47BD3785AF118ACADB05C7B890DA71CF48AE739AC2D5D797D5893048B7FD7ECF7CCFD22249954A1F227429C44FE6687EEB51F3E5D64490E42B3DEDE3CEAB98B38BF3EB735606281CF56DB43FC4779CDCF86D556E9F142FEC9ACF299E22732C140253CEEE705A59CFED571AF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "!!!!Get NDIS Module Info failed!\n" | |
| $a1 = "NdisIMInitializeDeviceInstanceEx" | |
| $a2 = "NdisIMInitializeDeviceInstanceEx:%p\n" | |
| $a3 = "ndisFindMiniportOnGlobalList:%p %x %p\n" | |
| $a4 = "NdisMRegisterMiniportDriver" | |
| $a5 = "NdisMRegisterMiniportDriver:%p\n" | |
| $a6 = "init_nic_adapter error no ndis offset\n" | |
| $a7 = "EnumSysModule tcpip.sys failed!\n" | |
| $a8 = "OpenBlockSearchLen %d set->0x600\n" | |
| $a9 = "OpenBlockSearchLen %d set->0x800\n" | |
| $a10 = "tcpip base:%p TcpOpenBlock %p OpenBlockSearchLen %x\n" | |
| $a11 = "RootDeviceNameOff:%d %d %d %d \n" | |
| $a12 = "!!!ndis6 offset init failed!\n" | |
| $a13 = "CreateFileA" | |
| $a14 = "CloseHandle" | |
| $a15 = "CreateProcessA" | |
| $a16 = "WaitForSingleObject" | |
| $a17 = "LoadLibraryA" | |
| $a18 = "GetModuleHandleA" | |
| $a19 = "cdo_open no open_context!\n" | |
| $a20 = "IoCreateDevice failed!\n" | |
| $a21 = "IoCreateSymbolicLink failed!\n" | |
| $a22 = "\\DosDevices\\" | |
| $a23 = "\\SystemRoot\\" | |
| $w0 = "\\registry\\machine\\system\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\" wide | |
| $w1 = "IPAddress" wide | |
| $w2 = "DhcpIPAddress" wide | |
| $w3 = "DefaultGateway" wide | |
| $w4 = "RtlGetVersion" wide | |
| $w5 = "kerNel32.dll" wide | |
| $w6 = "\\Device\\Tcp4" wide | |
| $w7 = "\\DosDevices\\Tcp4" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AE0051901C0274FA4D6322EDEF2FF7D1CC7F88A6F830FA9B21953A427799B887ACBA537A557BEF3677CEB6A075CA3C91F942B305C59C7CD60D9BA9F4824C71352B73134F7CC9DB2EB71CDA2DFE38BA90D075442EC7783A4A2EC5732C138139278E13E8B5C91B206F3B5DDFAB3855BD871710046C3C849C6760477A70C8952E1DFFFEAD14F55DEF82EB2F03B44196762467BA0C03ED322BC30B4576D5D4BB8C099FFB223FD2899C68DE000DB2F6D57ADC29600779DBB58AB1A869DAC451A5E975B0CCBCF139E3BD5C104DB5BB7B97593D58B8BFC2B0BBD4AD93C18E0E1E2A5F3CD4BB098FD920FE2801DC56554FA7E4FAB2C1178A7A6113870F2DA8F771A31C3D} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_8" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_8" wide | |
| $m0 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m1 = {BE2794996C4B3FA39C28F8E6124A05A5316441DFE0F087D59DFBC11259F88F8067D69B9F6046EAF084B1629A2CA0BF2498A31B4F181D1E1E952E870944256088967CA045958D071E9C135E8DC1CDCB66B8B3C65A2AFD3003055D7DA2CDBE8A1EB7889518CF35891488B3E8A849CE2A195C7D3ABDFC5EA01035D675B1FCD9CA35} | |
| $m2 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m3 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {B3A3F7AFA047D73297A7BBB9AA8F8DDEC9C9E8F1A6A70E230A89B0E5DA47903B097100A0F3FD26B17D50FD95280A900DF7D9DDD77CCF50FBF955C4EB59DF0D6DD13C6B995117AF2804B7691835EFDDBBA6FB3D2715C976F6B23D183B6A058B912BC27E592B85E5FF41665B6B7096AB125E8B35016EB5E22F3ACE8B31C01D7B53} | |
| $m1 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m2 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m3 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\DBUtil_2_3" wide | |
| $w1 = "\\DosDevices\\DBUtil_2_3" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {BF7DA22949D189D080B752E0643E7101A4D6EFA24BFF48853E3846A9AE46347CDEBAFF96642C89DBF0AA477CDCCA407953B190B944291C99198A1820A68394304B57E9571F2AA86604D46C15EB31BA468AFD8269D3DEF265256CAC8D47B19544B3059AC005FC5430798AC32097A91717E3659A0E59D571A7828C97561983C80D} | |
| $m4 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\System\\" wide | |
| $w1 = "TypesSupported" wide | |
| $w2 = "EventMessageFile" wide | |
| $w3 = "\\DosDevices\\" wide | |
| $w4 = "SANDRA" wide | |
| $m0 = {9CE6420E031D56BF33040E6C1497DAAF73AAF81876C069715965B2981833B2049E22DA1EE67936246E5A6C678C44A2E828767BA6A7080255330E23A2EFC07706ADD1772D8D460919ADF7843AB398F18A7B76115FE80CEB7DA1BE34D0BAC144B0B21F4ACF1DA56487A0F17FF3A4DCABF8C1AF2D027E3B750D0A6975FC5F5113265A323DA2871AE75B3A88A3332F679BB185272C7F414E3122EDDDDE2AABD82CD6FA73722CF8B58AE3BEE312090C1388552B0328CEA40B929AA1DF6C327D88A69A19BE4B3A647D03A69952F18F8F59FDE2DE32CF034A65CE51AB654020AFB9563CECC3C2C7BB3FE5B3F0069A791D05589C14170E20EAEB0DC6D0B6C9CD3058C9A7} | |
| $m1 = {C42F152D9F50DA914F4DEE97DC8207FCEA95BBC375CD189AD221D6E9EFA459A2D29C8EAD50686332AC58053AF95014584823EFB8DFB6991CB690F1DAE2356203E3F48C1E7F54D444E105DD15B55B682F900A8717796C0C417536C1A687C5E35C792C8066CEA384F70BC38818DAFCEBB4E474A413C8891DB4E290A24A5FA48B69} | |
| $m2 = {EABADA1DE181636C9B2C4DC2E0470A6B1CFBC8152390B09441212DD0ADED0979F02BFB946EC59458A00A0B90C502E3FCEBA988B5C468292C133BE2B9FFA84BAB03840777CC5EE6B7BA995C296FDE6CEC31E8EBFACEABF162A8577D94B6DDF1BC1C51C0AF16E1D3913C4AF4AC916ECF222CDF197A96BE11D7C86995F1A033AB025C93AAA81CCB03705BC83AAE1C2D84D6F9D9697916A7D1E66AF6A9D282396ACD84A0BA1C86AC7765A0F605EE6ED2A2958A53029900EE04EA8378ECD91429FDD6EEC1541E47022F2EE4520F372942D1252BBC0CDBF6F6BF4F28B92B1FAA24A8CF7DB6F2557ACD4B9AA236095C0E83EFC9057CC55DE1DC3D8213B2CE01372873FD} | |
| $m3 = {C15DB158670862EEA09A2D1F086D911468980A1EFEDA046F13846221C3D17CCE9F05E0B801F04E34ECE28A950464ACF16B535F05B3CB6780BF42028EFEDD0109ECE100144FFCFBF00CDD43BA5B2BE11F80709915579316F10F976AB7C268231CCC4D5930AC511E3BAF2BD6EE63457BC5D95F50D2E3500F3A88E7BF14FDE0C7B9} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D230341C22141C55DBE3B5AD1B86BD0252E9AD3EA1E0B632961B925F4DBD74C7E2D7CEE8F8CB20B4D2CC021134397408C28CF916550555F516E00B5D382C569A3FEF1757AC8DD7CF1CF57E355054BC48FC251E4BAA8EF59E666319C2F537DE1BD36E2B2D67FC9C591AF77772304DBE392956DA2061D77BD916656903E01E0446E9A17D3571704223E5268EEF7302230ACB91AC667D6C598387B62A250289085BCAC88E73AE8D69C2A22AA5893CE9862596D12CB6F9444D2C845272D30620AF1EAC4B66531E8D95FF8CFF56093EA62D9A8AB82DC5C274B874F52DE4CFADA77D5BD9F086AD281BFA205F4326A97967D38292E75A55532228BBF4E7F86A6A7F88B3} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {DB5C13D2723CE85E68470607D6540005C8DAD51C4A69EB5945C790D475E0BBF389854977BCA2EC396CB865B77B8D34C28EC8949CE78B14920A3A7DEB99E44FDD744F418A380A38D345CEA2AB79BFFC1B7ED0E45CF1D2F02847322025D1A8FD85EBB753878812CD1BA898A85E12A82AAF2CFEEEF00D09626687336432DB9ED81469E6150C0B0298A2B52F73507217B11B87192B0D12B94295EFF4752486585622541B176A329873A8371C0C03785B58D19AC84104AEED40B84F7277AFF20628B4A8C466F4C7905AA08B1812A5EF8C7F408A76F38B8210F980D21C5529564F9CA5B5444E0C2F97F82F147754340C99E71DEA4E82DB1F40486D9CAABE05640BDE1B} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\OpenLibSys" wide | |
| $w1 = "\\DosDevices\\OpenLibSys" wide | |
| $m0 = {C6BCD918CF65D1873C8AFC9A0942B968C9F0BD6807B070611D73DFACDDF6BEDC36127E5C6079BE65640F2C12A65CB053C97A98011588C787BD81902DAD544B4C0CDA4DCF87A1D155CEC97BE3ACCA492FBB2222210D6ECE8421DD6B0A3F7FA02952C441029D8FBD2392A35BAB14FDFB5C7A6B9CC71AE6E4D6C9FCECE71D916EA62B6337EE7BF76FBD6137AD7E690A2FC6EB34BB3E09E8A9806DEC1A9D897A93336BE05307278ACEC04DA7E20A92FC5FF15716E863E7D251F50D8E892DB6C291C04592488087522D84F46D7201E5CF9BD831FE2BA6AAA5397F3AC78A7AD5FB27A0FC8CDE13C0F280FE92FEA842D30F49A793BA0C64B408D6B8C2FD02EA475DBAE7} | |
| $m1 = {BDEF30F130F134A98965774D46A78D90FDAE4F8ECA2817BA59E3A8920A45032A8A8FE50950555281F0A391B1D9122A81F6C2031C3C82C072CDF1A700D7F5549C0A47EE9A9541928EA0AD093DD3EBA274AD9F192009B67DA65E359F4F396A03B58AAD1F96626B17B9AB8760D55D6DD992C9D013AED488D950A8449104B0EA47EA5FB2ED04C1D7017C21F8C47123FC6B4C654433C38D1DE6D2661C522946C406E70B35F05901660089CF9CE37B78AA53E2EEAC3595E7FD5DD7429495D31A6E315547D7EBADC74C9F5471831A17C8F9E7CE5801F436BFAE3F599F657C40075C732034A212C349F46840691E89E085E93AB79763BB47B0396B41007EF54BB87FE321} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {CDCB1B731DA7FFDFC3AE4782C100F2913C1080D775E6A2E0B08AF86B73C248F9D98482DB6FBEAEBF56529935AFD6C2E3E2D1D4B6A79350720480F4C96B15F3FC7C3B584F77E24904628B999062038592FE0C6BDF41C4B28D581E88B9106104B4C7839CC2B116D6BD649507F9F9A65A3991523A2C27F8D0DCD31A9A598510B50061253B3D1317C8114C76A6FE4C61CC59D2C44330215C1540094F73E1C195A465668FDBD3A83011F9C5AC131150A84FB7541FECAF991A39A0ED2803117BBAB0B2FB843EB6F8744B899B990A9AE7F8894DB889C9B4A500339065C44260CEBC43423813D5DE5B6BA24ED13F4A3945675801B82353EF370766017FBF6709050BE7BF} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\BS_RCIO" wide | |
| $m0 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m1 = {9ED926A1BCE826AA3D488BA1CA5F3FEA34414C9277C2EEB2DA0C039D189C3377FDC013E0C81EF7ED2808ED5CE0F8425F79E2CA2C6B938A84EC5BDEB99004459D7627720DE83268DF65FFC5B2DA62744FC305A68E1DB49946D5977A013CB3739756231753F7DB6BA60206D2FE273F9AF9AADF2D54E8811300ED8E4312232731C33FE96720463BFF62359693D5DBCCB755EB86C1F0BC2A9B79AC1225C2F6909F7F27848C7DF900741AAA21DB3A5130CF45E585E85B158710613624859E16636D8AD2624490812479AD9A27B344BDFB4C9B87B209286F2F322E7687829E771770F5BAA8769E1ED054706A99E9F520A16AD498134EB3F9F6015F488234A5838A9B3F} | |
| $m2 = {A3645DFC7CB3E08235E0E0F6C62AE649753BCC6EE053A99F1F6459E67C6B7F6B8C9D55F892E39ED55A635B024950D983CE6F66EEDDCB85E95FA5F9D4877488443B19C9E5F5919FC61439AC24EAA84B2C9189CC5E28F464B650B7F512B373960A67A3BE619FAEF3FD1278750EA65B14FD45238E8644557D1886058C5587794846F7CA0E8DA7DE4E5FE2A8B62D5902618861721868B9B87CEEE6E7342F317781301FBB36018DEF27E3F79AF04C31648DE3EBFA1987A87ECFEC8C0C365B7AC17AB878C7C9062E4610C88DE80460DBBC7374FA4ED8FEAA40F1B2CE704683E9DA40A1593AD915095799563093F3C961CCD008CC6BEC624291AC02C0EFA4F089118F77} | |
| $m3 = {B906741C5DB420AAA921A82A4246AB25201725CB228F90A2A0316B830575AFB20E7C12497B6A8664840F83DC64B9B16E16053E1C95B9E7E7886DB862819079D4DDF5E296F9C3B58823574A1ACF7129E908008FB598E3A732FDAC2EB8F49353F40A394391AFD56BE8D49F46BD8E3DABE2F92BD4EA00406624B7E87FB444758D789AAE31C137CF4E1F5BF8454AD73FC2C9920664BEDE068AAFD0E88AB1F02C88006F0BDC85A74CCB06BFD62E2A326E2971AF8E22F30FD0D898482DA808CBB68B23C263E0B673EB6F7D264F8BF7343D37860CB77827F4C286DB436B5AF83D3DF4E8B06256C6E7ED78A1FBFD7A724F3265C47CC3C477A0043232ED8F3FAF86DD7ED1} | |
| $m4 = {E8822D99F9CAC24295A580734070D29E56545CA9C4D241068FC933FC4D45915C819FED2C9CF81659DF9EB52415C298B9B47749DC89C40ADAAFCB5E6BEDADB07131EBCF3A400C464D93EC8B7A360803AB0C34FE184982FEC7C73148807C1EA20F920E50C9C687EB363FD830C3FFA6F7FBA2CD6F7323FEAC560590F032211689C67088F905977DA3C743DD02E83B3DEDB141A3ED3FBEDB9548C4EE1EB3F2BC0C2B99D0C65D124281E1836E82733F264B1490AE59660AC48DBED2CE06AEAD846F48849B4F40B9F14CF2AF98FBF6CE405D5CF6A8F12FAFEC8922F26B1865B1C173ADD7F1D8CF1E0A745C42B8687EB7D5770A27567C0F62A43F32146095FD0704A209} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C669858217} | |
| $m1 = {D9B7BA25AD94F35BBE41061C53CA0C108C514159337964F4579DE4D525C4EC50845898727940E22F78D492EA260E9EAE957CFBC4FD7144DD8C5FB7238B5EBBF4FC4BCB233DC37603F5D18C45BC71751D8BD28989BEE3513DC6C88AB23135076EB9F5BA6A0DF4109FAED56249287BEC57BAAB327CB17DD2A2560636EEB0EFD06AAEEAAB1FD60D9F7C96FBAD70992D5D95F080D07946EC553ACCD338FB0407A807758282E0D07E77B88FEBD228FCAE6D1468417F7643D748BA6044E1B772E8D0F020037BDADAB40675C7B203DEF894C6688F5E7B9E9B9D36E0CED26BC6C66BE91422B5717EB68F5A1FDBE76EF442109068E62B45104F73BA2CD7C5316A72DD6373} | |
| $m2 = {AD123C22E4299CC119E7DE8001D5A5FD9AF2E9F25C8A026D0762F762543A92A74D4A528B446435966EDCBE8A47955330FE5922D0E3B50322A608243C4FBD2DAF53037025D1974827AC7BE1024ADA613F945FD9B33F3771C5B35DEDAAFC64B240FA552A73D9383D58D59608D2E112E9E812A03BA960E088A5D5F554730B6DBB374A6D6A268FDCF53DA716BBA2526B15023654CFD891C9C1FD4FF1CFAAB7C51BDD7DB28700E9B8E44558248AA67712FBFA5419063CCA5322C55F5A3E554EDF7B6BD4B49227FDBBF4FBB4897358992D9E28B1B08C8C1EBF3C952CEC940FDF041542A0B8FA3488F24FB8ADB98C7CF740AD89144F3460265A0216D9FAA8C41A1D8C05} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\nchgbios2" wide | |
| $w1 = "\\DosDevices\\nchgbios2" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {DA0539DFD94164A9897F56DA02CC9AE2C00B7390E5BE94EBF17AB928EF2B17C3DCDB734CC9D1C0ACAC3C271DFBC95EB75009340B8E08636A3A604537123A96FEB71896FDE7CF2ED05EF2FE42C264AA355557183062E185980AA8C583DB7C591B3E9A9501E0AF32FF1EAE549C0F053F43E780724B4BB7A5A6DA0E06235C79F47A8FC5A3FA181D494DC0E2ACE4BDDD68280618FDA1B06487CDF8FAAE19BFFCF62D7D7BB81B90C1DB3F3CE31B3B53AA693F94C3544E846B9F3894E80F9D37FD013BA8E6E9F37818C6D8470BA6BE884D22339824A7B602A814C7E48309015F5075DA5C7DCDBB70926CC3F5D9249422CFD5209EF5617C1EB49723A0841F623809CDF9} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "ReadMSR - Exception 0x%08X.\n" | |
| $a1 = "WriteMSR - Exception 0x%08X.\n" | |
| $a2 = "ReadPort32 - Exception 0x%08X.\n" | |
| $a3 = "WritePort32 - Exception 0x%08X.\n" | |
| $a4 = "ReadPort16 - Exception 0x%08X.\n" | |
| $a5 = "WritePort16 - Exception 0x%08X.\n" | |
| $a6 = "ReadPort8 - Exception 0x%08X.\n" | |
| $a7 = "WritePort8 - Exception 0x%08X.\n" | |
| $a8 = "Bus - %d, Device - %d, Function - %d.\n" | |
| $a9 = "CalcBaseClk - PM Timer was not detected.\n" | |
| $a10 = "CalcBaseClk - APIC could not be located.\n" | |
| $a11 = "Error detected in ACPI function, error code 0x%08X\n" | |
| $a12 = "RetrieveAPICAddress - Exception 0x%08X.\n" | |
| $a13 = "ReadMemorySpace - Exception 0x%08X.\n" | |
| $a14 = "WriteMemorySpace - Exception 0x%08X.\n" | |
| $a15 = "GetRsdPtr - Could not allocate buffer\n" | |
| $w0 = "\\Device\\ALSysIO" wide | |
| $w1 = "\\DosDevices\\ALSysIO" wide | |
| $w2 = "PsGetVersion" wide | |
| $w3 = "RtlGetVersion" wide | |
| $m0 = {94EF65F8B5579FA0530D3406EB091FB747186ACBF05BE4FF27A534D1F7891ABF9EB1CD12416E66D481A0858B645A462F99A08D77B1E2BC5CDD22D76A67D0BBE8CA74DE8B4F0DB052E5905BEB470EF1E79F9C0B90653E17963045726D39A11736CAB9A08C1B4F0819F68131AD6116A462E6B4409EC3FCFB95F6FBB52E958198E0EFC5EBD802597877F7AAE3526B509129C5FCF7CD9365D2606122F206FB32DD1651FA0EFD8A30F01709A7BBF304AEAB90E76CDF7AA9F4EFC462275F6F996D3874AA118BDADFC7144CE985B2ECC27D4A268FE756BAA6E0CF92538074F403EC68B260BC842000831BA1EEB47405C1298E62D047B1FAF053CC18F92E3BF9707EB425} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {F4DB1BDBC03EACF6BD8227495DEEC01FD337FA837B29045AF03C1C3301182175A96574A38C47A10C89E7679BE4E46DFD8149623C82CCB6877E7D7AB2496871B602C1E055819841AD8A5DA26C17C23DBA8640986BF6712ED5BFD7CEA4E0EAC74E592C43AEE18BDDD0F135959BDE97BCE28120E95BF4F15380EDC6E18A27C9DAB601FCECF309868746B507B0785A50E90A97E52A27615C13702BD50836487C9949393BF02AEC7C9CCAF2DCF415D0270D274973AFAA4409C900743AAE19F677C1CFC76C65CF5F3FB1275DD93D0DCC792471A301B096028A07C8D4AA9464EDCB58FEE0D468DBCD0AA25F5FA257298349CD7E186B74B21E1E58618F785008D06B45D7} | |
| $m3 = {B017AEA2D3B60430561E580FB1ED55A4D654CBD8F6733AEC5D5EAB25FD36A5FA84C36140C546B559523B42A22E5F136210A95BE673D69225B17D23E306B3873A0E43F0D7008953A2113152286E5D40723CF20977A7499297D46C90A076A7FDB8DCB39DF207602C4F5898006BD31554E0FADDFF802C5F18A698FFD4ABECA14559B22E6F625DE0D919AC8B579CA8262BD917A510D247081A702C338B7F68802AB5A15D6BDD8D02022903AA7C37BBBB294E3D5393B3A6FA8FD25893154CB92DAB80A3A325FBAFF70864B07A440F5C10D75F6137AA4E6BD3D253259D8273FA2CF972B0A919392A50FAA9D03C3ACAE85BEFF55F51F4F90AD99735DE6A85E6230442AF} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\" wide | |
| $w1 = "\\Device\\" wide | |
| $m0 = {C30CB7120D4D688A33DE3605F03CBAF5DACD0E537B469F82F26213D7C177ADBB81377E4F1E9381C10622DA1D5084C6979592A993B63DAB867919547D0E16044CC488972CC6A1A85F153AD2642BCC3E0C7AE8A456B11EBBCF84CE8D353A349C6C2DC077B530A91F67E63A09443A437241A291C3469A1FB6B9A70FAF1C751B6425E7086C1447F5471ADE8EEAA263957DF5A8AD55A2649B726FB902733F398A395CC4FE8FFB119CBD10194963D043228BD6AB92997414CF3007BE4FBDFD8A8F9E5ADF6D3CCC5A995090B9ADC29743C25FEDCD333D87CCC1A05BA9623B787D64A3AC4D1F2BD703116C71548AB0ABB11CD67D23DB40073726DB50AF383DA607756F97} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {CDC23D5D7722D0C27D3832C315831F426A3B5366DD6A36440D69CF688D89459F7E2FEE423A337C3E00D3976AD85AD5C34D920A5F0650FDBF6CC403A28260D8ED522E1374DE97C645217B55F6EAB16403FC746BB25FC76C6C43148A241037499581D24812A5A2764950217FCA85730A3C5DB52EAD90AA5E4D32CB1793D97F96C0C0896556D9C5B13F981B27FA49EE1D1BCB068C301C3BC5A7705BA8AB185AFEC8F68EBF015D8F6198340F5851FFDF32EA54651C142B6CFC0C901967ED9BD9DA639BD65A24A3748E082300A192B51E0BD108A0667F921BA3ED806402498FB684EFD1558E5EA9975AC50802889456BF92EB2A2D063592B5373631ECC3FE7A3BC285} | |
| $m3 = {A0298E7F87674034663E1BCFA50B497973CC8D8D3C0E5D875764DC3CC12F63694145742BCECF1A373BD490D0D8F84150BB6DF7765AE45C9C22AB6B7B7BAE3BE9E96BC7E5378C6823A9FCD246DF2843792A9A5FB4F3D5FD9A4B2D009F877EA3CA95675ABB47DE6827FD696CE2E682E1F4A286C4D9C72DB6EBD06080A21B736833FA520571468D6C55C6DE76A347E076A4297B2FD0B224AE5537F9EE71D2270269252849A674A1F5ACE482BA6F682C98318BB96C5D48D038E2D8442509D9D929D3F44904A848F4B136F03A1868ED2B85AAE5D1EF77988844408D8CBA0FB08DD9918EF245C3212AA129EAAF5C246661E392E0281E5834AE5AA3679AAC51E6E58197} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {94EF65F8B5579FA0530D3406EB091FB747186ACBF05BE4FF27A534D1F7891ABF9EB1CD12416E66D481A0858B645A462F99A08D77B1E2BC5CDD22D76A67D0BBE8CA74DE8B4F0DB052E5905BEB470EF1E79F9C0B90653E17963045726D39A11736CAB9A08C1B4F0819F68131AD6116A462E6B4409EC3FCFB95F6FBB52E958198E0EFC5EBD802597877F7AAE3526B509129C5FCF7CD9365D2606122F206FB32DD1651FA0EFD8A30F01709A7BBF304AEAB90E76CDF7AA9F4EFC462275F6F996D3874AA118BDADFC7144CE985B2ECC27D4A268FE756BAA6E0CF92538074F403EC68B260BC842000831BA1EEB47405C1298E62D047B1FAF053CC18F92E3BF9707EB425} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {B017AEA2D3B60430561E580FB1ED55A4D654CBD8F6733AEC5D5EAB25FD36A5FA84C36140C546B559523B42A22E5F136210A95BE673D69225B17D23E306B3873A0E43F0D7008953A2113152286E5D40723CF20977A7499297D46C90A076A7FDB8DCB39DF207602C4F5898006BD31554E0FADDFF802C5F18A698FFD4ABECA14559B22E6F625DE0D919AC8B579CA8262BD917A510D247081A702C338B7F68802AB5A15D6BDD8D02022903AA7C37BBBB294E3D5393B3A6FA8FD25893154CB92DAB80A3A325FBAFF70864B07A440F5C10D75F6137AA4E6BD3D253259D8273FA2CF972B0A919392A50FAA9D03C3ACAE85BEFF55F51F4F90AD99735DE6A85E6230442AF} | |
| $m3 = {D344CA36E2A4B301068AAE6A67185909CBECE0DD0895A0069EB53D13C93F64806A17BE17C85C7A9F4E5516A462BBE7A31C8DDEF592BB3B14FB11BB17C626A0559499A911B2A5340DA5469690096A12FFCED32D4926DC591AA6D229A1F107391DD0660147449C4F7F65BF892A40109C011150DCD547E37A29C578A2AE74055B7295BF7B2721F75FA4D2376BA10BE4210AD4B713A43FBBBE97B2EBE0CB3917F3B096019C79774F84CF890B893AE01B54632ACBAF60C16FE1AD445E787AD217F60DCF4AB4CA6327CA5AF7BA5B3FC2F4D7DDAB767ED82F2E0D873055CDC27257E8BB2BF4CA19ED0D84A4B9DFBC1B803C912F41F732FD4E31E1EC83190791FC6240A7} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_5" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_5" wide | |
| $m0 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m1 = {BE2794996C4B3FA39C28F8E6124A05A5316441DFE0F087D59DFBC11259F88F8067D69B9F6046EAF084B1629A2CA0BF2498A31B4F181D1E1E952E870944256088967CA045958D071E9C135E8DC1CDCB66B8B3C65A2AFD3003055D7DA2CDBE8A1EB7889518CF35891488B3E8A849CE2A195C7D3ABDFC5EA01035D675B1FCD9CA35} | |
| $m2 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m3 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\IOMap" wide | |
| $w1 = "\\DosDevices\\IOMap" wide | |
| $w2 = "\\Parameters" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EC94053FCF73BC5C7F19B12B49D2532360E1EAD7B47BD3785AF118ACADB05C7B890DA71CF48AE739AC2D5D797D5893048B7FD7ECF7CCFD22249954A1F227429C44FE6687EEB51F3E5D64490E42B3DEDE3CEAB98B38BF3EB735606281CF56DB43FC4779CDCF86D556E9F142FEC9ACF299E22732C140253CEEE705A59CFED571AF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "DllGetClassObject" | |
| $a1 = "DllCanUnloadNow" | |
| $a2 = "DllPrepareToStop" | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {CFA241F029B618700FC132998826EC17AB89DBB413AD918AEF6BFFDA5170082EE482DD299F64B79AB133740CFA99446740011EB82CA6951AF405E993AE13BD1FCBE73B2BDD27A21B313D162C56FA3E90C8EF025BEE619AFF6E64462D8930DC96DDB85C1648B5CDCE1485F8440B1C240AC888B4406491888732C3C5B14692422B} | |
| $m4 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "MSECTION" | |
| $a1 = "HIDDEN_ML" | |
| $a2 = "PEHEADERH" | |
| $a3 = "THREADIDM" | |
| $a4 = "SERVICEH" | |
| $a5 = "EXDEVICEH" | |
| $a6 = "ZwReadVirtualMemory" | |
| $a7 = "ZwWriteVirtualMemory" | |
| $a8 = "nt!KiServiceTable" | |
| $a9 = "nt!KiServiceTableShadow" | |
| $a10 = "ServiceTable" | |
| $a11 = "ServiceTableShadow" | |
| $a12 = "System" | |
| $a13 = "ArDiskRegisterCallback" | |
| $a14 = "PsGetCurrentProcess" | |
| $a15 = "ExAllocatePoolWithTag" | |
| $a16 = "ExAllocatePool" | |
| $a17 = "IofCallDriver" | |
| $a18 = "KiExceptionDispatch" | |
| $a19 = "KiInitializeUserApc" | |
| $a20 = "KeInsertQueueApc" | |
| $a21 = "NtWriteVirtualMemory" | |
| $a22 = "IopLoadDriverEntryCall" | |
| $a23 = "IoGetInitialStack" | |
| $a24 = "RtlLookupFunctionEntry" | |
| $a25 = "PsGetThreadWin32Thread" | |
| $a26 = "KeRaiseUserException" | |
| $a27 = "NtShutdownSystem" | |
| $a28 = "PsGetThreadTeb" | |
| $a29 = "PsGetProcessPeb" | |
| $a30 = "PsGetProcessId" | |
| $a31 = "PsGetThreadProcess" | |
| $a32 = "PsGetThreadId" | |
| $a33 = "PsGetThreadProcessId" | |
| $a34 = "ZwQueryInformationThread" | |
| $a35 = "PsGetProcessInheritedFromUniqueProcessId" | |
| $a36 = "PsGetProcessSectionBaseAddress" | |
| $a37 = "PsGetProcessPriorityClass" | |
| $a38 = "IoThreadToProcess" | |
| $a39 = "PsGetCurrentThreadId" | |
| $a40 = "KeSetAffinityThread" | |
| $a41 = "ZwSuspendThread" | |
| $w0 = "system32" wide | |
| $w1 = "\\SystemRoot\\%s" wide | |
| $w2 = "\\SystemRoot\\system32\\ntdll.dll" wide | |
| $w3 = "kernel32.dll" wide | |
| $w4 = "\\Device\\" wide | |
| $w5 = "\\SystemRoot" wide | |
| $w6 = "\\Device\\Harddisk" wide | |
| $w7 = "NtAuthority" wide | |
| $w8 = "LocalSystem" wide | |
| $w9 = "LocalService" wide | |
| $w10 = "NetworkService" wide | |
| $w11 = "\\Device\\Afd" wide | |
| $w12 = "\\Device\\AswVmm" wide | |
| $w13 = "\\Device\\AvgVmm" wide | |
| $w14 = "CmRegisterCallback" wide | |
| $w15 = "CmUnRegisterCallback" wide | |
| $w16 = "\\Device\\%s" wide | |
| $w17 = "\\DosDevices\\%s" wide | |
| $w18 = "ObCreateObjectType" wide | |
| $w19 = "PsGetProcessPeb" wide | |
| $w20 = "PsGetThreadTeb" wide | |
| $w21 = "IofCallDriver" wide | |
| $w22 = "IofCompleteRequest" wide | |
| $w23 = "IoCreateFileSpecifyDeviceObjectHint" wide | |
| $w24 = "ZwQueryVirtualMemory" wide | |
| $w25 = "PsGetCurrentProcessWow64Process" wide | |
| $w26 = "\\Windows" wide | |
| $w27 = "%s\\system32" wide | |
| $w28 = "%s\\drivers" wide | |
| $w29 = "\\FileSystem\\Ntfs" wide | |
| $w30 = "\\FileSystem\\Fastfat" wide | |
| $w31 = "\\Driver\\Disk" wide | |
| $w32 = "\\Driver\\atapi" wide | |
| $w33 = "\\Device\\aswSP" wide | |
| $w34 = "\\Device\\avgSP" wide | |
| $w35 = "VerifyDriverLevel" wide | |
| $w36 = "VerifyDrivers" wide | |
| $w37 = "Session Manager\\Memory Management" wide | |
| $w38 = "ExGetPreviousMode" wide | |
| $w39 = "PsUpdateDiskCounters" wide | |
| $w40 = "\\Callback\\aswKLibInitialized" wide | |
| $w41 = "\\Callback\\avgKLibInitialized" wide | |
| $m0 = {C2E6618467C58AF50D08A445CA636B51D73A1142BD0A75754D94B40C50B52610FE1DC86F916B0C96E71A5C48EF44E5BF9B61CD1591625AB8FF670B9C63FD366A81FA29F8DD2B7085DE0218F3786DBC7DF9C76D093DBE6A7687E98ABDF8845D1E76C9E4C676763A53D1D1D35A368FC6A3E12F1B3AB761D673EC4E6D338A7C5D452D4BB150E6413A375686DC93238DF75025E864E6DDD38F2F57B58720EB0E8E2CD523DAF44D7846E3038331294A5C0C318A4A8C88C5F7305AF914AF155F6C434909FD262353F68D63E81AAB5BB11D30C29B6982B4DBFC5654BC1FA187ABBE7A5B0A202F4B09C995A78DB2FAD6638B4EA5721CEE9F7A0173F819D6FE0D4984BD01} | |
| $m1 = {C1B440D9B98A44FAD20AD7BFAAC94CB3D72C8C79729D24C8A55DDB6A988F3C7BCFF4DC83330BEF41C16F831609C01CF58CD93DF58168CD58E1B53022FDA75D5BB566C3FB74C36A584B0579B1BB8762496515178B587723CD5767E89B0257711320F3FEAEF4E67B3839542F0C362E6D2BA58F2F1B223ABFF41D9C3326F33EE372BC7050828ACE8A392919D30B03F97B7244F56A3220A3AF53BE46ECB588CD3A8EB3BA4841217BA018A06B14E1A4188B9D3DBEF972CACC147FB755B934EE58F9C458E4DA24DDED0FEB6DB99CFC3729F5E5A528C72285B1CB3747B6B2444C6E8FF0FB95A303D3C28FAC7799EA25355DF06FFB699F248E0F29A55A0A470286618D81} | |
| $m2 = {BDD032EE4BCD8F7FDDA9BA8299C539542857B6234AC40E07453351107DD0F97D4D687EE7B6A0F48DB388E497BF63219098BF13BC57D3C3E17E08D66A140038F72E1E3BEECCA6F63259FE5F653FE09BEBE34647061A557E0B277EC0A2F5A0E0DE223F0EFF7E95FBF3A3BA223E18AC11E4F099036D3B857C09D3EE5DC89A0B54E3A809716BE0CF22100F75CF71724E0AADDF403A5CB751E1A17914C64D2423305DBCEC3C606AAC2F07CCFDF0EA47D988505EFD666E56612729898451E682E74650FD942A2CA7E4753EBA980F847F9F3114D6ADD5F264CB7B1E05D084197217F11706EF3DCDD64DEF0642FDA2532A4F851DC41D3CAFCFDAAC10F5DDACACE956FF93} | |
| $m3 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m4 = {C5F923E69427C48014A480325F40A38D6F70C0E53671713A75A4AA1A9294895EAC2371CB4E677D413FAAE34BB77BBE9DC1A8388F692F3A24E9775912C7660443C20D2682894019F22CEAE74CE77C051AB8FF88094F2637EF3AA4FA226C88C94A1B61F2AE105E6FBCD1799B591860E5EE29B5032AA4CEF183194F6905732809FB22109322A090191A4C31F2D32BD88443AF3C63FF98DB20D2092B54C1EAFD6A83E710A31271F5D6D7E1127AD5E0565ACEEA015B68655BC13F585233A935614E22CB81CA36A312CB06D6CF1B4D187EB992B912CF4026D89A3685B315AA4793846B07BBBCD5B3DE250011890068C1293CEA3E2DEE50ABD71C3006783CA510236791} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {99F0CBE1F7BB35F8D7520EE31042614FF1625F6A146DB565F33AC8B5F752E6F0B815E077350E5A76C5C3F95551C5A3FB7D5499F5183CC971AE2FB246DE0805128F1FB72D585932790CDD8076772D16AF21F59626C90F951224D567A6A689071E2568F0FE06F6437063BE31294BE000E58DEDAAD580A8BFD9BA39BDED7C254390E482ACDD519B98164DD986419565FF3288ABF30ED77DEA77810F2DF156C1E39E3439272B0D8F1B559F8323F5AF12EE3CC3F34C5DC8B4FBF7337076F091904B160A2D53FAD01A954D268B0727E4411430DF75278F79CCAC81055B46DAFFDEA6EA9AD74EBF36FD2DFE5F05B53C39C2D062B2967C51C6678E6CCD08320328472D87} | |
| $m1 = {A39C308409A7632ECF0A47F0EA24F9A330200F5E573126819A3107B250D4CE670908650A5AA54BAED5ED102EE7A599B59F682F988B5802AC20B429C471BD281CA5FD3C9B64E4C5EBDF6125BCF0EE68BFD1A7CB7E2A02814E645C0C53867957193761B798F90CA04E22599BF91B2D673C273C569066E3FD7F657D0F86BD3547E88ACCF4DA8EE96A4EABA755ECA2891ED5334553CBF99E77BDCD2CF905B87F74011DE8FB18E143D10DE9AADC376FBDFEB80FED1D4D01464E0AACFC82E8EC5683138E3A01ED146474EA64B26610B6686DC870007D50482E3D43EEE02495C6CD8EC7FDB8E495CFDD7EFB955EA101CD43B107D7A430EE9B861A2A6EC10B59A2746F8B} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "(MAPMEM) HalTranslatephysicalAddress failed\n" | |
| $a1 = "(MAPMEM) ZwMapViewOfSection failed\n" | |
| $w0 = "\\Device\\GVCIDrv64" wide | |
| $w1 = "\\DosDevices\\GVCIDrv64" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {E77A0E8ABBA2CBD484A03F194E2808425DE8B338EE47965744182E7CCEED4A4BC890A952900E05B40F738E1049AD416C0F24782CFDF8C724144E234A03606035DA5D28AF274A3ABB2DE28404DA8FBB13ED4E8BE1CEABAAC3CBD59DDBB64DB472469941DDD35A467F48646B1BBFA3A08EF0F1C1D5359910288AE50368F72671B8DBBF38FEF5153DB3D7402454352FA3BAA1E47942E37692DF86AD4A7F2E3E1FD9CE0F88B7E1BC63673FFBC8DDD19CFECC8087022CB731ABABA4B2494E4D06333E3CC28A74D78F6D2E7ED5C0F417D756FADA4CEEE7EAF423069570DE72FC9F9CF7BF644EBF090FC93B42801772320112B3CA6C6D9D1D9FEE52944255B107541451} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| $m4 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "DebugPrint logging started" | |
| $a1 = "DebugPrint logging ended" | |
| $a2 = "DebugPrint: Could not allocate buffer" | |
| $a3 = "TargetDeviceRelation" | |
| $a4 = "RemovalRelations" | |
| $a5 = "PowerRelations" | |
| $a6 = "EjectionRelations" | |
| $a7 = "BusRelations" | |
| $a8 = "PHDIoStartIo: CmdOutputCount %d" | |
| $a9 = "PHDIoCancelIrp: IRP in StartIo queue" | |
| $a10 = "PHDIoCancelIrp: IRP running in StartIo" | |
| $a11 = "PHDIoCancelIrp: Cancelling %x %I" | |
| $a12 = "Create File is %T" | |
| $a13 = "DeviceIoControl: %d bytes written" | |
| $a14 = "DeviceIoControl: Control code %x InputLength %d OutputLength %d" | |
| $w0 = "\\Device\\PHDDebugPrint" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D58656C0DEA2D94363A3893FDAF950275A4196ACE8DD8745DE1279CD6A644C13F0AC6875FC911961493877176B4C88A9CB97EA48903E5D3C9969C8A684BD106FD2E111C4D8C5CE5B0CC7234F3F65E12562B41C46B38B4C1743144AAF0C4E1A33F2B275A95F8B442E40F56655E32074C24C0726D720F675AB79D7E5049B823719} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PanIO_1_0" wide | |
| $w1 = "\\DosDevices\\PanIO_1_0" wide | |
| $m0 = {94EF65F8B5579FA0530D3406EB091FB747186ACBF05BE4FF27A534D1F7891ABF9EB1CD12416E66D481A0858B645A462F99A08D77B1E2BC5CDD22D76A67D0BBE8CA74DE8B4F0DB052E5905BEB470EF1E79F9C0B90653E17963045726D39A11736CAB9A08C1B4F0819F68131AD6116A462E6B4409EC3FCFB95F6FBB52E958198E0EFC5EBD802597877F7AAE3526B509129C5FCF7CD9365D2606122F206FB32DD1651FA0EFD8A30F01709A7BBF304AEAB90E76CDF7AA9F4EFC462275F6F996D3874AA118BDADFC7144CE985B2ECC27D4A268FE756BAA6E0CF92538074F403EC68B260BC842000831BA1EEB47405C1298E62D047B1FAF053CC18F92E3BF9707EB425} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {B017AEA2D3B60430561E580FB1ED55A4D654CBD8F6733AEC5D5EAB25FD36A5FA84C36140C546B559523B42A22E5F136210A95BE673D69225B17D23E306B3873A0E43F0D7008953A2113152286E5D40723CF20977A7499297D46C90A076A7FDB8DCB39DF207602C4F5898006BD31554E0FADDFF802C5F18A698FFD4ABECA14559B22E6F625DE0D919AC8B579CA8262BD917A510D247081A702C338B7F68802AB5A15D6BDD8D02022903AA7C37BBBB294E3D5393B3A6FA8FD25893154CB92DAB80A3A325FBAFF70864B07A440F5C10D75F6137AA4E6BD3D253259D8273FA2CF972B0A919392A50FAA9D03C3ACAE85BEFF55F51F4F90AD99735DE6A85E6230442AF} | |
| $m3 = {E8551803EE0203C0E49106851D4B105ED1FCC6FD8C261DFA95C32B7001B841A9102F472CD10210508E3E399AF82C7BD488EC127B436D9C94692DF18D6DF48D6803F3DF7E55B8ED517DE7C6E7D50945F229115B2899768DA607BE26987265BAE0A51107D13A70C26C7A338FAEB4E2DB7E8C4E481299CB1B6147CDB87C2255D774C381DD345E62B52FF3023EC788F9980AE773CB87EDC4331F6EA51FF03C1DF97FB1EFF3E89F11B8FBF107DF21F7E1E2E0EA3078008034B3D9236026D4FA873DC802AC7820EAFE879A51E7CF5BB526FB77F8CA80293D922F9146D0567FC93584B4A0BC9D51DE2E7043360F730E4A73A04E4F01C579F9F19AC33433BB00AD558387} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_Mystic_Light" wide | |
| $w1 = "\\DosDevices\\NTIOLib_Mystic_Light" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| $m4 = {D344CA36E2A4B301068AAE6A67185909CBECE0DD0895A0069EB53D13C93F64806A17BE17C85C7A9F4E5516A462BBE7A31C8DDEF592BB3B14FB11BB17C626A0559499A911B2A5340DA5469690096A12FFCED32D4926DC591AA6D229A1F107391DD0660147449C4F7F65BF892A40109C011150DCD547E37A29C578A2AE74055B7295BF7B2721F75FA4D2376BA10BE4210AD4B713A43FBBBE97B2EBE0CB3917F3B096019C79774F84CF890B893AE01B54632ACBAF60C16FE1AD445E787AD217F60DCF4AB4CA6327CA5AF7BA5B3FC2F4D7DDAB767ED82F2E0D873055CDC27257E8BB2BF4CA19ED0D84A4B9DFBC1B803C912F41F732FD4E31E1EC83190791FC6240A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "NSCM -DllGetClassObject- platform initialization failed\n" | |
| $a1 = "NSCM -DllGetClassObject- SCM initialization failed\n" | |
| $a2 = "NSCM -DllGetClassObject- SAM initialization failed\n" | |
| $w0 = "\\WINDOWS\\SYSTEM32\\INETSRV\\W3WP.EXE" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {CFA241F029B618700FC132998826EC17AB89DBB413AD918AEF6BFFDA5170082EE482DD299F64B79AB133740CFA99446740011EB82CA6951AF405E993AE13BD1FCBE73B2BDD27A21B313D162C56FA3E90C8EF025BEE619AFF6E64462D8930DC96DDB85C1648B5CDCE1485F8440B1C240AC888B4406491888732C3C5B14692422B} | |
| $m4 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Irp->CurrentLocation <= Irp->StackCount + 1" | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D58656C0DEA2D94363A3893FDAF950275A4196ACE8DD8745DE1279CD6A644C13F0AC6875FC911961493877176B4C88A9CB97EA48903E5D3C9969C8A684BD106FD2E111C4D8C5CE5B0CC7234F3F65E12562B41C46B38B4C1743144AAF0C4E1A33F2B275A95F8B442E40F56655E32074C24C0726D720F675AB79D7E5049B823719} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\AsrDrv104" wide | |
| $w1 = ".Translated" wide | |
| $w2 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D67A74E9DC9685FA0F266297B09723664D0C8D9D1A38E749A1AD896A90F7BA01ADBF6F0FFC9378EFD1D4E17E4B20A22D1BA4D28F47F4A061D1C5CB031064E94A6102D15ADE1E9765E5F92C8E400C45AB248CA68C120CCCAEFB7FFC28143ACDCB257079C7B5BF6FCFC1C33AA9B01A0E7011AF97E808734152C4B3B9BD5B8028EDE16E5D2E17432C0EDB75C750949526DE6D807BAA0EFA96ABB5B4194F8EF6AE01D0199CAC40AFB99A3D8C6982DC560FDCBD1F7919C3A2385385D03A9B5FAAB3D4AE22C5DDC69268E2DCA124D1822E4D116B20E67325796EB1DB21CF23FC526E882B2026622228F0223B0DBA1DEF0358A3AB44E92EEC6F5B129F5327F290EDBADB} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\AsrSmartConnectDrv" wide | |
| $w1 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $w2 = ".Translated" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EFF813CA43D195BD645B01FC099DD99A44C4AFB0CB5D4E521ACDC1B74CEED891C9A2EA371DE16EC9A62D3988E018C0D22A2D6BF72C440B9C6BA277D27158975F136FAE88BE5FAF7B7BEDF49B61EA77086968FBAE43CFBAF93230DE4303D86F561572CD2A92143986595D8C347A2E6738F52EA1CA9691884BE506F8B0CFD6418BD0FAB6BB260FBB42947D184D6D38D6062EB24FCBF831355269660AB355AA9D94A12311F1B2C59148D9B80A3BCAC20D7018D3B1711D8AD8CAF44E82558A47D9C50CFDFC422C729A1E96237A2E10CC3E69702985FEEA04BF3AC9C289FEC334A6281C773B6FD090C1ED5D5514DB91A99654E82BC4508B10FE50EA23DB0E8E798211} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\WinIoB" wide | |
| $w1 = "\\DosDevices\\WinIoB" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {BCBB452474D8F1E436D8A132EBE9A8497EF90DE1CEA045BA3C0EFFB368009253376FAC7CF180C2C9310A35F1851747EFBE798BEFA59F18A5F16AB4FC9F294C2E7CE19F34F975168F7AD9218FE6929A45CB5DE1B685761539E583640D7909FABE329F938FAE6D41C6BFA18058D4D3F964934E8A57B07FCF3532F7EB305F4DA03622A0C77CBDB3E098629464540E30772B9D3F2A4172E0550198354B399A6C42EDD547BB8A451777DC1D3D92692907D3595A217D66F4BEBC7A41777369C252DCC978831E2B877DD4A94C9ABDF60A3D42D67B54D79A478F7D920B349FF2942E6D070E991E0980C5235A121455BB31A2B6AAEEFFB1FC852C66CBFFFEE88B1F50BFA7} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_OCKit_MB" wide | |
| $w1 = "\\DosDevices\\NTIOLib_OCKit_MB" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| $m4 = {D344CA36E2A4B301068AAE6A67185909CBECE0DD0895A0069EB53D13C93F64806A17BE17C85C7A9F4E5516A462BBE7A31C8DDEF592BB3B14FB11BB17C626A0559499A911B2A5340DA5469690096A12FFCED32D4926DC591AA6D229A1F107391DD0660147449C4F7F65BF892A40109C011150DCD547E37A29C578A2AE74055B7295BF7B2721F75FA4D2376BA10BE4210AD4B713A43FBBBE97B2EBE0CB3917F3B096019C79774F84CF890B893AE01B54632ACBAF60C16FE1AD445E787AD217F60DCF4AB4CA6327CA5AF7BA5B3FC2F4D7DDAB767ED82F2E0D873055CDC27257E8BB2BF4CA19ED0D84A4B9DFBC1B803C912F41F732FD4E31E1EC83190791FC6240A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "!!!!Get NDIS Module Info failed!\n" | |
| $a1 = "NdisIMInitializeDeviceInstanceEx" | |
| $a2 = "NdisIMInitializeDeviceInstanceEx:%p\n" | |
| $a3 = "ndisFindMiniportOnGlobalList:%p %x %p\n" | |
| $a4 = "NdisMRegisterMiniportDriver" | |
| $a5 = "NdisMRegisterMiniportDriver:%p\n" | |
| $a6 = "init_nic_adapter error no ndis offset\n" | |
| $a7 = "EnumSysModule tcpip.sys failed!\n" | |
| $a8 = "OpenBlockSearchLen %d set->0x600\n" | |
| $a9 = "OpenBlockSearchLen %d set->0x800\n" | |
| $a10 = "tcpip base:%p TcpOpenBlock %p OpenBlockSearchLen %x\n" | |
| $a11 = "RootDeviceNameOff:%d %d %d %d \n" | |
| $a12 = "!!!ndis6 offset init failed!\n" | |
| $a13 = "CreateFileA" | |
| $a14 = "CloseHandle" | |
| $a15 = "CreateProcessA" | |
| $a16 = "WaitForSingleObject" | |
| $a17 = "LoadLibraryA" | |
| $a18 = "GetModuleHandleA" | |
| $a19 = "\\DosDevices\\" | |
| $a20 = "\\SystemRoot\\" | |
| $a21 = "Content-Type: application/octet-stream\r\n" | |
| $a22 = "Content-Length: %d\r\n\r\n" | |
| $a23 = "Content-Length:" | |
| $a24 = "Connection:" | |
| $w0 = "\\registry\\machine\\system\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\" wide | |
| $w1 = "IPAddress" wide | |
| $w2 = "DhcpIPAddress" wide | |
| $w3 = "DefaultGateway" wide | |
| $w4 = "RtlGetVersion" wide | |
| $w5 = "kerNel32.dll" wide | |
| $w6 = "\\Device\\Tcp4" wide | |
| $w7 = "\\DosDevices\\Tcp4" wide | |
| $m0 = {AE0051901C0274FA4D6322EDEF2FF7D1CC7F88A6F830FA9B21953A427799B887ACBA537A557BEF3677CEB6A075CA3C91F942B305C59C7CD60D9BA9F4824C71352B73134F7CC9DB2EB71CDA2DFE38BA90D075442EC7783A4A2EC5732C138139278E13E8B5C91B206F3B5DDFAB3855BD871710046C3C849C6760477A70C8952E1DFFFEAD14F55DEF82EB2F03B44196762467BA0C03ED322BC30B4576D5D4BB8C099FFB223FD2899C68DE000DB2F6D57ADC29600779DBB58AB1A869DAC451A5E975B0CCBCF139E3BD5C104DB5BB7B97593D58B8BFC2B0BBD4AD93C18E0E1E2A5F3CD4BB098FD920FE2801DC56554FA7E4FAB2C1178A7A6113870F2DA8F771A31C3D} | |
| $m1 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m2 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "OmenCommandCenterBackground.exe" | |
| $a1 = "C:\\Program Files\\WindowsApps" | |
| $a2 = "check caller image name pass" | |
| $a3 = "check caller image path pass" | |
| $a4 = "Current IRQL is %d\r\n" | |
| $a5 = "Cannot resolve ZwQueryInformationProcess\n" | |
| $a6 = "ZwOpenFile fail" | |
| $a7 = "ObReferenceObjectByHandle fail" | |
| $a8 = "Current ProcessImageFileName: Unknown" | |
| $a9 = "Current ProcessImageFileName: %s" | |
| $w0 = "\\Device\\HpPortIO" wide | |
| $w1 = "\\DosDevices\\HpPortIO" wide | |
| $w2 = "ZwQueryInformationProcess" wide | |
| $m0 = {F8D3B31C7F0E11AF677707D30B314919CFD0FB4599B13ADB44F57FE5A89DDB32D771EA769D052EB78FFA9243C0A5F989D43719D7B6AAF09C86A5D825AC0E79283A7EE9D167D3C6FB2927C7D37B2394E4912396907782F9A18423661254335074B12826BB2469C2C252F214678A8945D42DA1A3E9882C2095AE1C4A8708DF0CF5E24D6018BEAAC4B2AE70316633713EAC70A2ABCE7FE97CCB92A1E53B311CCFEAF20AE457BB4AB5E974E62BFE6CCB7E7439360D90EFE4B54EA4A9EA6A0AAB84F3AC674EB5C4F78CD1202523EB08643E5296C1F20F12F4C58E0FC1A2E82C51F773BCBD85B1628373418207E4388B6A7320D00F64733C9E9FA633A9FD19DF2593D1} | |
| $m1 = {B2D90EE98D3739C51B07014630536AFB2317BD14C0CD0D8E0A048F21A4EAB34B9A2F16D9EE824A4136FCDA6AEC053DF267FDBA3CE3746C2201FA4247F6ADDF0CB968CD1BBCC89D365B8223832D49EE11F93BCA37BC1A166FE8862B3682CE2B603EAC0FA7EB935BE1F6F3AADAFDBBEC7831B30A577DB7AC216A7F82D15E67739FF34EE293581959AF612EEE1C841CCC8D633CEFE6AC5BBD5D64C1DC24973FDBF552C73551311F6A7A524730BB0811D3F2E4CE0D90944B23C7C34F068CA397C285B247160F3AA31779E33DF5CCB089416F3279CF6DB45AD7EDD46C90079D803652B5B655F4DEE26733B24A5F93045DC23722E12C163B0EF055128B0095B5BD5C25} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Driver\\" wide | |
| $w1 = "\\Device\\" wide | |
| $w2 = "\\DosDevices\\" wide | |
| $m0 = {E60E76CAA926C5B0C3AC62475F6472EFADE70865A6F9CB99194D4095ABB559F6182EC834B9843F60648E5BB8AF5ADC632C62182D631938F939E6B5BA61325B844C8C3406706C56E52AA86114569A2913EE72B75DF6FFAECA5DF7A695201479D466CD99FA7AD153802E507BF89915D6CDA951A0D1CE6F39449C7BA102D0AA0C232A935CDA8FCFDF1447E7847A3A3CB25F7A2D153D53D502DFB58A4C45FC95268A3DAA957C7F20563CFCFB623872AE2B62C15A94E63529CE41E04E3A9721C3194722652CF9666BD63DFE395779BA6F8E5031180BE59F0031CCC81C84CE3AD17F7FB2544F0899813414C4898453A93A38AC97A30C470A3CF46A9D96E0827ADB807B} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\" wide | |
| $w1 = "\\Device\\" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D2259A2DA863D118C9674774330961BF2081F8EA1BA2782818BD518180111A36D4B4DF5C5755AEC8C6D098B19ADFA241FF6BE83AEAE6F3DE4C2519A9796ABC43E74E6A643CADD2EAE5229ECA5B42434FC19BE01ED8A6B6C3FE767D1A62B69FEEEEFE6EE49E0A45C877C517C0D54EC2E6074034B337748AF044CB891E4E2E5CDCDF5888EB143D3834AF6AA1D13528B210B522E546AB0BBDF0A723CB3C386432B0C73E46261187AF42021456E0703B5A2E52663C5EE48A41B36659CB73DB90852CEDF48B920F206C648CF8FA4F15EB9BE42A0A6058B15D41A1A499C707D6F1B51241C78F943314212B22EAF4A3CA8DB6F80CE5981BCF74D04EDAFCC58E27A580FF} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| $m4 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\BS_HWMIO" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {C5964585DCBC1960DAC4075D617F7AEF42A9B7ABBC1BEF996BA4BBD55A5B0AFC2E44101075493AD8A41BA6B1FFE4A1E39687817461D913541A8AFD679BBBC7ED045481974A0C22B8C7962ADA17360F8BCB12AC1380B1DE138A2A27BECAFC602C03CB25DF3CAE921F907807604046CDD2B2C02880A7FB84E6C7B58E8095DC03DDD438D64C430FB717CC0BD712DD1CEA097E4F93BF0E8ABE9939778D7ADA0CF1903C509461BF3914EE89C686F18D2461556C55DE13DAF1E7D14D5517D5D2EE6B3DA79A9BF603361EC33271C0AFFDAF76C6C8100C8F10CFADA7436EB0A9D2D39EC4E813B0B1EC1E3D3A9A4F5CD92D65F7C9ECD747B300AB7DC6FAFF908E00026F5B} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "!!!!Get NDIS Module Info failed!\n" | |
| $a1 = "NdisIMInitializeDeviceInstanceEx" | |
| $a2 = "NdisIMInitializeDeviceInstanceEx:%p\n" | |
| $a3 = "ndisFindMiniportOnGlobalList:%p %x %p\n" | |
| $a4 = "NdisMRegisterMiniportDriver" | |
| $a5 = "NdisMRegisterMiniportDriver:%p\n" | |
| $a6 = "init_nic_adapter error no ndis offset\n" | |
| $a7 = "EnumSysModule tcpip.sys failed!\n" | |
| $a8 = "OpenBlockSearchLen %d set->0x600\n" | |
| $a9 = "OpenBlockSearchLen %d set->0x800\n" | |
| $a10 = "tcpip base:%p TcpOpenBlock %p OpenBlockSearchLen %x\n" | |
| $a11 = "RootDeviceNameOff:%d %d %d %d \n" | |
| $a12 = "!!!ndis6 offset init failed!\n" | |
| $a13 = "CreateFileA" | |
| $a14 = "CloseHandle" | |
| $a15 = "CreateProcessA" | |
| $a16 = "WaitForSingleObject" | |
| $a17 = "LoadLibraryA" | |
| $a18 = "GetModuleHandleA" | |
| $a19 = "\\DosDevices\\" | |
| $a20 = "\\SystemRoot\\" | |
| $a21 = "Content-Type: application/octet-stream\r\n" | |
| $a22 = "Content-Length: %d\r\n\r\n" | |
| $a23 = "Content-Length:" | |
| $a24 = "Connection:" | |
| $w0 = "\\registry\\machine\\system\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\" wide | |
| $w1 = "IPAddress" wide | |
| $w2 = "DhcpIPAddress" wide | |
| $w3 = "DefaultGateway" wide | |
| $w4 = "RtlGetVersion" wide | |
| $w5 = "kerNel32.dll" wide | |
| $w6 = "\\Device\\Tcp4" wide | |
| $w7 = "\\DosDevices\\Tcp4" wide | |
| $m0 = {AE0051901C0274FA4D6322EDEF2FF7D1CC7F88A6F830FA9B21953A427799B887ACBA537A557BEF3677CEB6A075CA3C91F942B305C59C7CD60D9BA9F4824C71352B73134F7CC9DB2EB71CDA2DFE38BA90D075442EC7783A4A2EC5732C138139278E13E8B5C91B206F3B5DDFAB3855BD871710046C3C849C6760477A70C8952E1DFFFEAD14F55DEF82EB2F03B44196762467BA0C03ED322BC30B4576D5D4BB8C099FFB223FD2899C68DE000DB2F6D57ADC29600779DBB58AB1A869DAC451A5E975B0CCBCF139E3BD5C104DB5BB7B97593D58B8BFC2B0BBD4AD93C18E0E1E2A5F3CD4BB098FD920FE2801DC56554FA7E4FAB2C1178A7A6113870F2DA8F771A31C3D} | |
| $m1 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m2 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "VirtualAddress=0x%x" | |
| $a1 = "Buffer size not match !!" | |
| $a2 = "Valid(dwHandle)=%x" | |
| $a3 = "ptPageAddr->dwHandle VA=%x,sizeof(dwHandle)=%d" | |
| $a4 = "Physical Address=%x,dwLins=%x" | |
| $a5 = "Allocate Size=%d" | |
| $a6 = "(FREE_PHYS_MEM) Insufficient input or output buffer\n" | |
| $a7 = "Physical Address=%x" | |
| $a8 = "Default VA=%x" | |
| $a9 = "Exit Alloc function!!" | |
| $a10 = "In Alloc function!!" | |
| $a11 = "MAPMEM.SYS: ZwUnmapViewOfSection failed\n" | |
| $a12 = "MAPMEM.SYS: memory successfully unmapped\n" | |
| $a13 = "InputBufferLength=%d,szieof(PVOID)=%d" | |
| $a14 = "MAPMEM.SYS: memory map failed :(\n" | |
| $a15 = "MAPMEM.SYS: memory successfully mapped\n" | |
| $a16 = "Exit SMBUS Control" | |
| $a17 = "In SMBUS Control" | |
| $w0 = "\\DosDevices\\GIO" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\GIO" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {C12E096B512DD70C5579CB6703B7D82BBEAC1005649D7A1FA7A80A7A58F78A00C7EE18FFC3F75BCF36CB768E7D29698C42DC3F01A884BBA78343CD2791377BAE1F234D02A853BF9CDDD85A30FD0484B424CE91377C11605094236C714880E5DEFFC8F99141552BCA31ACBED448454632ADBA4BCCB5C1C6CC4B4AD4C54961D2FD} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\RwDrv" wide | |
| $w1 = ".Translated" wide | |
| $w2 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {8AF57E93D2309F14BAF6852959007FBF4383CB97796FF03F6AF0EF7E54A9CFE36E37AA4A54882A59DA5D4CF72491A0201B0470D9354F073D9B6F5145DD90C3529DCAA5A27D1803A9C5FDB7A513ECE33E7B7268D29558E27CE6789AE975CF3388573A1E250F655F067B297E286BCDD74AC90C5BF65744799BE6E394994A20981A1BA770F49E0A4DAFD6D07C18CCCFB6B36D85242CCABF42072483EA04F43C1303B83B7A57546206D8E9B327A6B961D13B60A9BE9C3CA7760620C0436FB016C137758C78A0A4B4EC9C36717C8811E02D72DB7F4DEC7215D09061C438AA35284AFEE1C98367B7FF02D004445032E0F0216CC7F7E4AB418C4422555EB0FC1BFE74AB} | |
| $m3 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\WinRing0_1_0_1" wide | |
| $w1 = "\\DosDevices\\WinRing0_1_0_1" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {A234254800C576D4E9FF76B0320FD2CD1DD9CE60718E14CC1FE8C72D68D65177E75B04BAD7E8F86330D9DC2EE2E616F4CFD95B07D5BAFCD87D377ECC63ABF2745B3A7E7432DFA64D8719154FC282C423ADC67B97F4D9F46E3818FDDD432A09272DA53A0AE7E998C4E0C28030E825AB2D994BF084ACD087084833691EC56B33AB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSIFrequency_CC" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSIFrequency_CC" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSIDPC" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSIDPC" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| $m4 = {D344CA36E2A4B301068AAE6A67185909CBECE0DD0895A0069EB53D13C93F64806A17BE17C85C7A9F4E5516A462BBE7A31C8DDEF592BB3B14FB11BB17C626A0559499A911B2A5340DA5469690096A12FFCED32D4926DC591AA6D229A1F107391DD0660147449C4F7F65BF892A40109C011150DCD547E37A29C578A2AE74055B7295BF7B2721F75FA4D2376BA10BE4210AD4B713A43FBBBE97B2EBE0CB3917F3B096019C79774F84CF890B893AE01B54632ACBAF60C16FE1AD445E787AD217F60DCF4AB4CA6327CA5AF7BA5B3FC2F4D7DDAB767ED82F2E0D873055CDC27257E8BB2BF4CA19ED0D84A4B9DFBC1B803C912F41F732FD4E31E1EC83190791FC6240A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "!!!AODDriver::SimplDrvDispatch(): EnableWatchDog_SB700\n" | |
| $a1 = "!!!AODDriver::SimplDrvDispatch(): EnableWatchDog_SB800\n" | |
| $a2 = "!!!AODDriver::SimplDrvDispatch(): TriggerWatchDog_SB800\n" | |
| $a3 = "!!!AODDriver::SimplDrvDispatch(): TriggerWatchDog_SB700\n" | |
| $a4 = "!!!AODDriver::SimplDrvDispatch(): AssertLDTStop_SB700\n" | |
| $a5 = "!!!AODDriver::SimplDrvDispatch(): AssertLDTStop_SB800\n" | |
| $a6 = "!!!AODDriver::SimplDrvDispatch(): ulPMIO2BaseAddress : %x\n" | |
| $a7 = "!!!AODDriver::SimplDrvDispatch(): ReadSBRegister_SB700\n" | |
| $a8 = "!!!AODDriver::SimplDrvDispatch(): ReadSBRegister_SB700 %d\n" | |
| $a9 = "!!!AODDriver::SimplDrvDispatch(): ReadSBRegister_SB700--->2\n" | |
| $a10 = "!!!AODDriver::SimplDrvDispatch(): ReadSBRegister_SB700--->3\n" | |
| $a11 = "!!!AODDriver::SimplDrvDispatch(): ReadSBRegister_SB700 Failed\n" | |
| $a12 = "!!!AODDriver::SimplDrvDispatch(): ReadSBRegister return 0\n" | |
| $a13 = "!!!AODDriver::SimplDrvDispatch(): ReadSBRegister_SB800\n" | |
| $a14 = "!!!AODDriver::SimplDrvDispatch(): IRP_MJ_CREATE\n" | |
| $a15 = "!!!AODDriver::SimplDrvDispatch(): IRP_MJ_CLOSE\n" | |
| $a16 = "!!!AODDriver::DriverDispatch():IOCTL_WRITE_FUNCTION0:DEVICE_ID not found\n" | |
| $a17 = "!!!AODDriver::DriverDispatch():IOCTL_WRITE_FUNCTION1:DEVICE_ID not found\n" | |
| $a18 = "!!!AODDriver::DriverDispatch():IOCTL_WRITE_FUNCTION2:DEVICE_ID not found\n" | |
| $a19 = "!!!AODDriver::DriverDispatch():IOCTL_WRITE_FUNCTION3:DEVICE_ID not found\n" | |
| $a20 = "!!!AODDriver::DriverDispatch():IOCTL_WRITE_FUNCTION4:DEVICE_ID not found\n" | |
| $a21 = "!!!AODDriver::DriverDispatch():IOCTL_WRITE_FUNCTION5:DEVICE_ID not found\n" | |
| $a22 = "!!!AODDriver::DriverDispatch():IOCTL_WRITE_D0F0:DEVICE_ID not found\n" | |
| $a23 = "!!AODDriver::SimplDrvDispatch(): unknown IRP_MJ_DEVICE_CONTROL %X\n" | |
| $a24 = "!!!AODDriver::DriverUnload(): Unloading\n" | |
| $a25 = "!!!AODDriver::DriverEntry(): Entering.\n" | |
| $a26 = "!!!AODDriver::DriverEntry(): IoCreateSymbolicLink() failed\n" | |
| $a27 = "!!!AODDriver::DriverEntry(): DriverInit() succeeded.\n" | |
| $a28 = "!!!AODDriver::DriverEntry(): DriverInit() failed.\n" | |
| $a29 = "Common::DriverInit(): InitACPITable() succeeded.\n" | |
| $a30 = "Found PCI MMIO base address %X\n" | |
| $a31 = "PCI MMIO base address read from MSR is: %X\n" | |
| $a32 = "Common::_IsIMCEnabled(): AcpiMMioAddr = %X\n" | |
| $a33 = "Common::DriverInit(): _GetIMCBaseAddress() succeeded: %X\n" | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {B218E9AF22059E20D9AE6D8492710092AF2C7DDE5F3E70199F26ABEEF65D0678CEDA656216C7491DC19BE6F335460ECC31A472E4AD20604436D2C0CAE4F4780E6B55DB0D559CE6394CA10295F813646A82C6C7A2C376E5CFFE785C5D9E1A1CDCF4395BE786F608F626B9818CA844742FB06F0EC1E77554C9603EAB5D507C0167E6CD74E084B059C11634A04C7454F3269C1CF109B996089D0439C3706180813279C1C3AF0076272A1F702AEEEB79676805E2855C63694B10DC1A514CC31171FA7745F0C3A7EEF459051C7E6FB38C2B03D6CC0073243C1E2314A90F3D9C48256277D09F28D3683B90CD15AAD323D0670F1A4D0FC31181B1983B45476727B36CB5} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| $m4 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "PsGetProcessInheritedFromUniqueProcessId" wide | |
| $w1 = "PsIsProtectedProcess" wide | |
| $w2 = "PsGetProcessImageFileName" wide | |
| $w3 = "PsGetProcessPeb" wide | |
| $w4 = "PsGetProcessWow64Process" wide | |
| $w5 = "PsCreateSystemThread" wide | |
| $w6 = "PsTerminateSystemThread" wide | |
| $w7 = "KeInitializeApc" wide | |
| $w8 = "KeInsertQueueApc" wide | |
| $w9 = "ZwTerminateProcess" wide | |
| $w10 = "ZwCreateJobObject" wide | |
| $w11 = "PsAssignProcessToJobObject" wide | |
| $w12 = "ZwAssignProcessToJobObject" wide | |
| $w13 = "ZwTerminateJobObject" wide | |
| $w14 = "MmUnmapViewOfSection" wide | |
| $w15 = "ObSetHandleAttributes" wide | |
| $w16 = "ObCloseHandle" wide | |
| $w17 = "PsSuspendProcess" wide | |
| $w18 = "PsResumeProcess" wide | |
| $w19 = "PsSetLoadImageNotifyRoutine" wide | |
| $w20 = "PsSetCreateThreadNotifyRoutine" wide | |
| $w21 = "PsSetCreateProcessNotifyRoutineEx" wide | |
| $w22 = "\\device\\KApcHelper1" wide | |
| $w23 = "\\dosdevices\\KApcHelperLink1" wide | |
| $m0 = {AF69359D3EDBA9AF9794179CEFF32B37B4348A457787D8DBB4C61F2C01BF987BE41A97E644EB481273BC3E852B58140D43FB48A1DEA699ED63F0E99FDC7C7C73ACDA119187EEFB3D448308F3D2250D99808B667C91D8C2E7119BC4C1C0C80B6CCC8B7A711F1DEE724ABD153D34133498EE4DFDA9F8EBA753703074885693A319AE41370B06DA5C8A59E3135DF83EE244DB9D5FBB766142BCCE5FC326AC55D89E053532A30FC76DA2D2AD644D75D433553FF405C1BC2E1FB1939C48309F9C1B752BDE025174B7CDEDEE53CBE7FC373FE9D51BDA44DCA98F127564E6D00E9F918E477ED7583D239B553522EC016A89FD4519377FC858B364B83D8A408BAE30D7D7} | |
| $m1 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m2 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D041FBD29F23BD9C7A43B72FA2D0D9984AA4F4FE469C460C6A1D90F11D81DF3D8F89B7F87BE08DE52C9F82476B7526E843AEDC689459F89BEBB7958FEBF11E8721FBD363799328AE85CB43CFFF4190DDBFB034E34CB6AF651F73289C8E3FF672922D70BCE2ED314B1A6279C286C6C78615EBF09EF7D3B8C7F294FEA42121B2E88CFBDA34C9E859B3C56753CD1AA7E3088171EB5EF9B050676EC48215DC481973425648B34AEE30B42A0D85D93D891E8FF07216B185B696F46E13FEE880F096067BAF1270113C171302F54E575A6E4307588ADEAEF2D5C0033F10010D5CA51ABA31A51FAAE110451320CA81941D7A5A99FDBA503A42AE5AFC81559C26FD73751F} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_1_S" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_1_S" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\IOBIT_WinRing0_1_3_0" wide | |
| $w1 = "\\DosDevices\\IOBIT_WinRing0_1_3_0" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D74708B9913B08D998FD6745366314E87E990C6B94860213CC4A34AB3C8DFAFCA36A4DDC29B42216E333ECDBC8BF4209FD4A02DB9CDBAF1FCE8BE6884A860C9102B350413E847A7E242CF339EE9A9A0C7B521A3E3C3DC11682DA99F0B85925DDADCDF0EA4BBD82F9A4F61569BB81195F2D1DA881E15C83B940A118954AABF10D6868E5D8B5834E8DFEDB7CD5DC666B747FA135E8F028991D1934ED359AED6487ECD59FE6F023CA7F9654E7B6CC1FAE02716B70E53AF1FCE9695E72EEB958950E903082A04459949D3807122957276DF8518337D42E479599F38AE3FD0014D86C10017B0A791D177CC2A16861372770A4F76A5791D5DAF2D83A42CE018B60B33B} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| $m4 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "ERROR: IoDeleteSymbolicLink" | |
| $a1 = "Leaving MsIoUnload" | |
| $a2 = "Entering MsIoUnload" | |
| $a3 = "Leaving MapPhysicalMemoryToLinearSpace" | |
| $a4 = "ERROR: ZwOpenSection failed" | |
| $a5 = "ERROR: ObReferenceObjectByHandle failed" | |
| $a6 = "ERROR: HalTranslateBusAddress failed" | |
| $a7 = "ERROR: ZwMapViewOfSection failed" | |
| $a8 = "Entering MapPhysicalMemoryToLinearSpace" | |
| $a9 = "Leaving UnmapPhysicalMemory" | |
| $a10 = "ERROR: UnmapViewOfSection failed" | |
| $a11 = "Entering UnmapPhysicalMemory" | |
| $a12 = "Leaving MsIoDispatch" | |
| $a13 = "IRP_MJ_CREATE" | |
| $a14 = "ERROR: Unknown IRP_MJ_DEVICE_CONTROL" | |
| $a15 = "IRP_MJ_DEVICE_CONTROL" | |
| $a16 = "---Entry MsIoDispatch---" | |
| $a17 = "Leaving DriverEntry" | |
| $a18 = "ERROR: IoCreateDevice failed" | |
| $a19 = "ERROR: IoCreateSymbolicLink failed" | |
| $a20 = "Entering DriverEntry" | |
| $w0 = "\\DosDevices\\MsIo" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\MsIo" wide | |
| $m0 = {E60E76CAA926C5B0C3AC62475F6472EFADE70865A6F9CB99194D4095ABB559F6182EC834B9843F60648E5BB8AF5ADC632C62182D631938F939E6B5BA61325B844C8C3406706C56E52AA86114569A2913EE72B75DF6FFAECA5DF7A695201479D466CD99FA7AD153802E507BF89915D6CDA951A0D1CE6F39449C7BA102D0AA0C232A935CDA8FCFDF1447E7847A3A3CB25F7A2D153D53D502DFB58A4C45FC95268A3DAA957C7F20563CFCFB623872AE2B62C15A94E63529CE41E04E3A9721C3194722652CF9666BD63DFE395779BA6F8E5031180BE59F0031CCC81C84CE3AD17F7FB2544F0899813414C4898453A93A38AC97A30C470A3CF46A9D96E0827ADB807B} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_C" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_C" wide | |
| $m0 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m1 = {BE2794996C4B3FA39C28F8E6124A05A5316441DFE0F087D59DFBC11259F88F8067D69B9F6046EAF084B1629A2CA0BF2498A31B4F181D1E1E952E870944256088967CA045958D071E9C135E8DC1CDCB66B8B3C65A2AFD3003055D7DA2CDBE8A1EB7889518CF35891488B3E8A849CE2A195C7D3ABDFC5EA01035D675B1FCD9CA35} | |
| $m2 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m3 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {A64463E548D1ADEAD6DF6D1A1596FD45B155B3E89AD45CCCEBFEBC6445A782D5934F4C02D2B39BAE4A9E59EDAF8F37C6FCC633621F1173F2C407DCE4315111B834EB9D604D0865A7166E973054CC31CFCFADB63A280842D2F0D7ED40BD1D350459B2ECDE34D8BE71B96CDE6D857A431AA62549CB590621E38D5FB096425389EF3FBC6AB5612E9BDA21E824C71244CBBD1FD021B4B354247F7FCB04BE3CC84F551AD831213FDB769C093C3B1E26D488CD9A9F64BB9585CC153EE29DA0FFF8B6287CD1DF56EF8A1C42A380799E517719E98BF4F6A6D20A8DDB5E238B57352E18196E541F5B3087847F60B8CC713B61C60A4090D47FD1F77E0FEA4C87D3371C8A81} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSIDDR_CC" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSIDDR_CC" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "remoteAddr" | |
| $w0 = "LG_SDK Flow Established Callout" wide | |
| $w1 = "Flow Established Callout" wide | |
| $w2 = "LG_SDK Stream Callout" wide | |
| $w3 = "Stream Callout" wide | |
| $w4 = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\%s" wide | |
| $w5 = "LG_SDK Provider" wide | |
| $w6 = "disabledcallouts" wide | |
| $w7 = "ZwQueryInformationProcess" wide | |
| $m0 = {F8D3B31C7F0E11AF677707D30B314919CFD0FB4599B13ADB44F57FE5A89DDB32D771EA769D052EB78FFA9243C0A5F989D43719D7B6AAF09C86A5D825AC0E79283A7EE9D167D3C6FB2927C7D37B2394E4912396907782F9A18423661254335074B12826BB2469C2C252F214678A8945D42DA1A3E9882C2095AE1C4A8708DF0CF5E24D6018BEAAC4B2AE70316633713EAC70A2ABCE7FE97CCB92A1E53B311CCFEAF20AE457BB4AB5E974E62BFE6CCB7E7439360D90EFE4B54EA4A9EA6A0AAB84F3AC674EB5C4F78CD1202523EB08643E5296C1F20F12F4C58E0FC1A2E82C51F773BCBD85B1628373418207E4388B6A7320D00F64733C9E9FA633A9FD19DF2593D1} | |
| $m1 = {AD0E15CEE443805CB187F3B760F97112A5AEDC269488AAF4CEF520392858600CF880DAA9159532613CB5B128848A8ADC9F0A0C83177A8F90AC8AE779535C31842AF60F98323676CCDEDD3CA8A2EF6AFB21F25261DF9F20D71FE2B1D9FE1864D2125B5FF9581835BC47CDA136F96B7FD4B0383EC11BC38C33D9D82F18FE280FB3A783D6C36E44C061359616FE599C8B766DD7F1A24B0D2BFF0B72DA9E60D08E9035C678558720A1CFE56D0AC8497C3198336C22E987D0325AA2BA138211ED39179D993A72A1E6FAA4D9D5173175AE857D22AE3F014686F62879C8B1DAE45717C47E1C0EB0B492A656B3BDB297EDAAA7F0B7C5A83F9516D0FFA196EB085F18774F} | |
| $m2 = {CD0B94E0092AF38CB39E7A1FF1787F44EF77C676CC8229E388049C56EE7BCB58B995AF3FD6FD49CB0F8D2F57F164B15AEEE1E9EB8B581D8966A33ACDD07F2EE2FA7A32E6E0AF050E381F4022B1C92B722EEC1C9E338A7FD57594D3F0C41E0CD08DF9C9C3CC5B1394F64D7B4C2BA2AECD76D9CCEB7D26ED4D586A600B169EBC0EC3C1DE8FC18C1DE7934FDC3FB975D52C3062C7D20B2C6FC781CC9AB618B8DD18E8E9CA917C819A4A51901D24F15C587743A79D46B5CF16C01C2D181F17DC992239EE8DEA1A46CD3CE97DA5145510DC8B0E7A6DF56CC4369C5BA9EB7DFC68809FAFB5355F63DCFED593034EA94EBCDDB8CBA07F69B070AA9EBE1C8F8F6674DF91} | |
| $m3 = {C81B01AFD92C7E88997D01983F2090BD9C80215493B9CFA03E53EFB35AC076D61A04A5CE4783B5EBC4CC4934CBF34565B9F9A764162609FBD53252792EC963C2139BB6863F010592666F21ABD571107987F4462ACDC45AC9DBD75D494D72560FDCC9E353983A2A1EFCCE5849D3BFF339BBB9A42342ACD015C37F9EA25CD738F116B270D3A3C4DFB3C572AC2E0A77FC0D9452B7FC1F9573243D0128BC0F0D4FB391018E6E9D277555D1173B34217B970194AF7F80CFD1110A5784C97F56E0BD469C82BE949DBFB420B0607EB84DF50D3FDBD0EA858C8A5671D12D944CC88C3CD314A29CBD26FFD35320C760699B580A54F405E7FD31ACF9C88517C7B82919A4292F46E3DDDB915F9F3F363E0E30672B46B735AF96BEDA4C60CCA8BB9F0D14D418C43098748221CF6256B52173121EFDAACA08588777A415EB1955FFD039542D26EE451A3A6FCDD784F0D7F028C54F648302D4FBE2DEF1BC0228F46DDA278A06D29687DEE86B0EF05B7DE9766993201C4A972C77192B9395989C979EEB8EC17856C64425DF06129A062D9F035EFD83A25367CAB1FA8DA164C9889259CBA846C0C9F2A6FF7D57DB1276FA8A4124D41BFC72A514A2D4AD431CA4498B413914031E29FA1BA522AEA5C34D82D08DDA6BB7DBF718405773F071A3FB4A7D4536C1F78D82FAB9C90D53807DFAB6395832EF6F185089D74F9D33BD1AB59DA1DE95417AA783} | |
| $m4 = {91874B2C8BC1F11EA09ED307C601CA52B0BE79795D0966062D2F357DBBC0FB27DA426A591B254CEAEF40D69A7E32C86A817DB45C3E561081353A22368CFBF8202987AC74D01B62BC3F6487025FEFC580EF061CDC5E4E9387B89ADE4C074E85CC70C50D7BECC3D9E397E9CB19DB56456CEE4B206CC93E6CFDF09BF128F89199AAFC5AC19A82203AB7EFE7D6B82549C2391B878139CBC3B73ACD9F50041F1A99A480024D1D05A855D36D528083E66E48A55FC18958608AEFF1ACCD8763188E74CB848741696381BCF61FAA7CD7C141CEADAB768B2080D42D95078DC7F50B171E9AE5D6996951C74EA69D296FE779930D326353AECCC6298A20C160C6F2022CC4F9C822DFF92782A18351C2BCC9821A2184B297BCD4AF441C968222952A8554AEF1FD3E497474FC8EAE3FA572F4C35A01AA50A58B76951B66EBEFDADF942ED91AEB4C277D4C05F7F8235DC457C826057AFC81235F5409382A62D5AACADFEDCF53AB1FF6449CD59959C556645BF78E520F66FC983F440613646EE9E1156050A5B1ECCFB8E8C90BBEC584F7DD0A9DDABC296C3D56EDBF7867B65BC85E141CB9AF842D77A2F73995376F4E7F1CC63C04D631C57EEF3DE8517E71AD24741B2CDCF97CAAEFC276496862D58BF503DFBE7D8E0F3675465B9376C483EE82BE2CAE3712F1BC56C3E4AD43C3B766965E9432FAA0F6AB8950FACEA0F308811AD144A7CCF7B831} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\Global\\CPUZ128" wide | |
| $w1 = "\\DosDevices\\CPUZ128" wide | |
| $w2 = "\\DosDevices\\Global\\CPUZ128" wide | |
| $w3 = "\\DosDevices\\CPUZ128" wide | |
| $w4 = "\\Device\\cpuz128" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C84AA73C069EB89E409AC3D69AEEE5B01822FE9E60129E1B486D63DF8F19AC204E16E0B734299259FD21DE316003C20BA27A63372373AF3FD60CA43515AC6E4971D6035C6DDDD416DA03477C1C4BEB92E913992D04B8F9AC3206E35BE8C6A1740A2769F2578D46DF7F708A4E91CB8F4B88A78DC88D921B659D13DFB8F4A333C1} | |
| $m4 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "ASUSTeK COMPUTER INC." | |
| $a1 = "ASUSTeK Computer Inc." | |
| $a2 = "GetAsusStringFseg return TRUE" | |
| $a3 = "GetAsusString" | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D230341C22141C55DBE3B5AD1B86BD0252E9AD3EA1E0B632961B925F4DBD74C7E2D7CEE8F8CB20B4D2CC021134397408C28CF916550555F516E00B5D382C569A3FEF1757AC8DD7CF1CF57E355054BC48FC251E4BAA8EF59E666319C2F537DE1BD36E2B2D67FC9C591AF77772304DBE392956DA2061D77BD916656903E01E0446E9A17D3571704223E5268EEF7302230ACB91AC667D6C598387B62A250289085BCAC88E73AE8D69C2A22AA5893CE9862596D12CB6F9444D2C845272D30620AF1EAC4B66531E8D95FF8CFF56093EA62D9A8AB82DC5C274B874F52DE4CFADA77D5BD9F086AD281BFA205F4326A97967D38292E75A55532228BBF4E7F86A6A7F88B3} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Unknown" | |
| $a1 = "Phoenix - Award" | |
| $a2 = "Phoenix-Award" | |
| $w0 = "\\DosDevices\\BS_Def" wide | |
| $w1 = "\\Device\\BS_Def" wide | |
| $w2 = "\\DosDevices\\BS_Def" wide | |
| $w3 = "\\Device\\PhysicalMemory" wide | |
| $w4 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m1 = {B2502848DDD3687A84184466755D7EC4B89F6326FF3D439C7C113810255573D9752769FD4EB9205CD30AF9A01B2AED55562161D81EDBE4BC336BC7EFDDA337658E1B930CB6531E5C7C66355F058A45FE764EDF5380A281209DAE885CA208F7E530F9EE22374C420ACEDFC61FC4D655E9813FB552A32CAA017AF2A2AA8D35FE9FE65D6A059F3D6BE3BF96C0FECC60F940E707A044EB81516EA52AF2B68A1028ED8FDC06A086509A7B4A080D301DCA109E6BF7E958AE04A94099B228E88F16AC3CE3536F4BD3359DB56F641DB3962CBB3DE779EB6D7AF916E626ADAFEF9953B7402C95B879AAFED452AB29747E42EC391EA26A16E659BB2468D80080431087806B} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {C686A3DA1EBDA81576729DC01D9D5EC87BC73D2BDF5B78872FA0E76CE1B9F0EF6CB1439A11B8FB0707792B7C5CFA7586AFC259297381B5C1CEFEFE95218C503710AD69A389F4FF32496303388E53288A6A86421FB946670662FB1B1548E17946BE9AA77A1391C4DA15412F46D188DF37543B7E1C6C3899E7CB4DADE75C623E81} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSI_RAID" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSI_RAID" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Set Event(THREAD_EVENT_EXIT)\n" | |
| $a1 = "%s pMpegCodec->Open task(%d) codec handle(%d)\n" | |
| $a2 = "CPort_Constructor(dwOpenType=%d, frame_nbs=%d, frame_size=%d)\n" | |
| $a3 = "allocate buffer(m_pBufMem) = 0x%08x\n" | |
| $a4 = "DataBufferArray->Data[%d] = 0x%08x\n" | |
| $a5 = "CDeviceCtrl::QPGenericDevice_Release(m_pAudCodec)\n" | |
| $a6 = "CDeviceCtrl::QPGenericDevice_Release(m_pTVAudio)\n" | |
| $a7 = "CDeviceCtrl::QPGenericDevice_Release(m_pTuner)\n" | |
| $a8 = "CDeviceCtrl::QPGenericDevice_Release(m_pVidEncoder)\n" | |
| $a9 = "CDeviceCtrl::QPGenericDevice_Release(m_pVidDecoder)\n" | |
| $a10 = "CDeviceCtrl::QPGenericDevice_Release(m_pMpegCodec)\n" | |
| $a11 = "CDeviceCtrl::QPGenericDevice_Release(m_pCodecLib)\n" | |
| $a12 = "CDeviceCtrl::Start(), PIC(0x%02X) m_bLegalCard(%d) !!!!!!! " | |
| $a13 = "CDeviceCtrl::ReadLegalPic, DRV_COMPANY_NAME(%d) = 0x%02X, PicId(0x%02X)\n" | |
| $a14 = "== CDevice_Callback(dwCode = %x) ==\n" | |
| $a15 = "== InitDevice ==\n" | |
| $a16 = "== InitDevice::m_PhysicalDeviceObject(0x%08x), m_FunctionalDeviceObject(0x%08x) ==\n" | |
| $a17 = "== InitDevice:: call QPCodecInitLibrary (%0d) ==\n" | |
| $a18 = "== InitDevice:: call QPCodecLib_GetMpegCodec (%0d, m_pMpegCodec=0x%08x) ==\n" | |
| $a19 = "== InitDevice:: call QPCodecLib_GetVideoDecoder (%0d, m_pVidDecoder=0x%08x) ==\n" | |
| $a20 = "== InitDevice:: call QPCodecLib_GetVideoEncoder (%0d, m_pVidEncoder=0x%08x) ==\n" | |
| $a21 = "== InitDevice:: call QPCodecLib_GetTuner (%0d, m_pTuner=0x%08x) ==\n" | |
| $a22 = "== InitDevice:: call QPCodecLib_GetTVAudio (%0d, m_pTVAudio=0x%08x) ==\n" | |
| $a23 = "== InitDevice:: call QPCodecLib_GetAudioCodec (%0d, m_pAudCodec=0x%08x) ==\n" | |
| $a24 = " ========== QPGenericDevice_InitDevice Fail!!! ==========\n" | |
| $a25 = "Auto-Detect (====== Detect Product Type(%s) ==========\n" | |
| $a26 = "Auto-Detect (====== Delete m_pComponentMgr ==========\n" | |
| $a27 = "Auto-Detect (====== Re-new m_pComponentMgr ==========\n" | |
| $a28 = "Auto-Detect (====== Detect Product Type(%s) 222 ==========\n" | |
| $a29 = "==Downloading and verifying firmware file %ws..." | |
| $a30 = "DownloadFW: unable to open firmware file\n" | |
| $a31 = "DownloadFW: Open firmware file success\n" | |
| $a32 = "OpenFile::The program want to read %d bytes, ntStatus(%x)\n" | |
| $a33 = "DownloadFW: ZwReadFile OK(pBuffer = 0x%02x, ntStatus =%d, status_block=%d)\n" | |
| $a34 = "PollDataThreadProc(type = %d) Enter......\n" | |
| $a35 = "PollDataThreadProc(type = %d) Exit......\n" | |
| $a36 = "StartPollDataThread(type = %d)\n" | |
| $a37 = "StopPollDataThread(type = %d)\n" | |
| $a38 = "StopPollDataThread(type = %d) 2222\n" | |
| $a39 = "lOutFrameRate(%d, %d)\n" | |
| $a40 = "CheckSourceInfoChange::Original(lWidth=%d, lHeight=%d, lInFrameRate=%d, vdoStdType=%d, lScanFmt=%d, lVlost=%d hdcp=%d, lAudioRate=%d)\n" | |
| $a41 = "CheckSourceInfoChange::New(lWidth=%d, lHeight=%d, lInFrameRate=%d, vdoStdType=%d, lScanFmt=%d, lVlost=%d hdcp=%d, lAudioRate=%d)\n" | |
| $a42 = "CheckSourceInfoChange::Original222(lWidth=%d, lHeight=%d, lInFrameRate=%d, vdoStdType=%d, lScanFmt=%d, lVlost=%d hdcp=%d, lAudioRate=%d)\n" | |
| $a43 = "CheckSourceInfoChange::New222(lWidth=%d, lHeight=%d, lInFrameRate=%d, vdoStdType=%d, lScanFmt=%d, lVlost=%d hdcp=%d, lAudioRate=%d)\n" | |
| $a44 = "CheckSourceInfoChange::hdcp(%d)\n" | |
| $a45 = "StartDetectVideoThread\n" | |
| $a46 = "StopDetectVideoThread\n" | |
| $a47 = "StopDetectVideoThread 2222\n" | |
| $a48 = "StartRestartStreamingThread\n" | |
| $a49 = "StopRestartStreamingThread\n" | |
| $a50 = "StopRestartStreamingThread 2222\n" | |
| $a51 = "== RestartStreaming:: Set Flag(m_bResetStreamingVdo = %d, m_bResetStreamingAdo = %d)..... ==\n" | |
| $a52 = "== RestartStreaming:: Restart (video) ****... ==\n" | |
| $a53 = "== RestartStreaming:: Restart (audio) ****... ==\n" | |
| $a54 = "DetectVideoThreadProc Enter......\n" | |
| $a55 = "== DetectVideoThreadProc:: call KeSetEvent(m_evRestartStreaming)..... ==\n" | |
| $a56 = "== DetectVideoThreadProc:: no video frame over 5-seconds(lVlost = %d) ==\n" | |
| $a57 = "DetectVideoThreadProc Exit......\n" | |
| $a58 = "calling RestartStreaming()......\n" | |
| $a59 = "RestartStreamingThreadProc Exit......\n" | |
| $a60 = "GetCurrentSourceInfo(lWidth=%d, lHeight=%d, uSignal=%d, uStdType=%d, uScanMode=%d hdcp=%d, lInFrameRate = %d, lAudioRate = %d) 111\n" | |
| $a61 = "GetCurrentSourceInfo(lWidth=%d, lHeight=%d, uSignal=%d, uStdType=%d, uScanMode=%d hdcp=%d, lInFrameRate=%d, lAudioRate = %d) 222\n" | |
| $a62 = "--->CCaptureDevice::DispatchCreate Device:%X \n" | |
| $a63 = "--->CCaptureDevice::DispatchCreate XXX Device:%X \n" | |
| $a64 = "--->CCaptureDevice::DispatchCreate S2 CapDevice:%X \n" | |
| $a65 = "--->CCaptureDevice::DispatchCreate S3 Device:%X Status:%X\n" | |
| $a66 = "Device PnP start \n" | |
| $a67 = "Couldn't create filters" | |
| $a68 = "RegistryPath=\"%ws\"\n" | |
| $a69 = "CCaptureDevice::DevicePropertyAddress================(%d)(%d)\n" | |
| $a70 = " GetConfigSpace PIO_STACK_LOCATION \n" | |
| $a71 = " GetConfigSpace IoSetCompletionRoutine static ntStatus 0x%x \n" | |
| $a72 = " GetConfigSpace ntStatus 0x%x \n" | |
| $a73 = "CCaptureDevice::CreateFilterFactories DeviceID(%d) ######" | |
| $a74 = "create filters ntStatus %x \n" | |
| $a75 = "GetColor(COLOR_CONTROL_TYPE_BRIGHTNESS) Success\n" | |
| $a76 = "GetColor(COLOR_CONTROL_TYPE_CONTRAST) Success\n" | |
| $a77 = "GetColor(COLOR_CONTROL_TYPE_HUE) Success\n" | |
| $a78 = "GetColor(COLOR_CONTROL_TYPE_SATURATION) Success\n" | |
| $a79 = "GetColor(COLOR_CONTROL_TYPE_SHARPNESS) Success\n" | |
| $a80 = "CDevice::SetVideoProcAmpProperty(ID:%d) not supported" | |
| $a81 = "GetVideoDecProperty:: KSPROPERTY_VIDEODECODER_STANDARD:: vdoStdType(%d)\n" | |
| $a82 = "==================== CCaptureDevice::GetVideoControlProperty (Id = %d)====================\n" | |
| $a83 = "CCaptureDevice::UpdateVideoPinDataRanges() videoStdType(%d)\n" | |
| $a84 = "CCaptureDevice::UpdateVideoPinDataRanges() lNowAvgTimePerFrame(%d)\n" | |
| $a85 = "CCaptureDevice::UpdateVideoPinDataRanges() lMaxFrameRate(%d), curInputInfo.lInFrameRate(%d)\n" | |
| $a86 = "CDevice::SetVideoDecProperty() PId %d FId %02X" | |
| $a87 = "CDevice::SetVideoDecProperty(KSPROPERTY_VIDEODECODER_STANDARD) bufType(%d) FId %02X, dwNewVideoStandard(%x)" | |
| $a88 = "CDevice::GetCustomProperty() PId %d FId %02x" | |
| $a89 = "Get KSPROPERTY_CUSTOM_CONFIG_SUPPORT_SRC(m_ProductType = %s, SupportVdoSrc = %02X)\n" | |
| $a90 = "Get KSPROPERTY_CUSTOM_CONFIG_SRC(vdoSrcType = %d)\n" | |
| $a91 = "Get KSPROPERTY_CUSTOM_CONFIG_DEV_INFO ..(m_bLegalCard = %d)......\n" | |
| $a92 = "Get KSPROPERTY_CUSTOM_CONFIG_SRC_INFO ........\n" | |
| $a93 = "Set KSPROPERTY_CUSTOM_CONFIG_SRC(pData->m_uValue = %d, actual = %d), Status(%d)\n" | |
| $a94 = "==================== CCaptureDevice::SetVideoControlProperty (Id = %d)====================\n" | |
| $a95 = "SetVideoControlProperty(KSPROPERTY_VIDEOCONTROL_MODE) m_mirrorH%d m_mirrorV=%d\n" | |
| $a96 = "SetVideoColorTypeRegValue(colorType = %d, iValue = %d) success\n" | |
| $a97 = "SetVideoColorTypeRegValue(): OpenDriverKey() failed\n" | |
| $a98 = "ReadHdcpRegValue HKET_CURRENT_USER:m_bHdcpDisable = %d RegCurrentUser= %wZ \n" | |
| $a99 = "HKET_CURRENT_USER:ZwQueryKey STATUS_UNSUCCESSFUL 2\n" | |
| $a100 = "GetRegistryValue(colorType = %d): VideoColorValue failed\n" | |
| $a101 = "ReadVideoColorTypeRegValue(colorType = %d, iVideoColorValue = %d) success\n" | |
| $a102 = "ReadVideoColorTypeRegValue(): OpenDriverKey() failed\n" | |
| $a103 = "SetRegistryValue" | |
| $a104 = "Device::SetPower from %d to %d\n" | |
| $a105 = "Device::SetPower from %d to %d CleanupObjects \n" | |
| $a106 = "Device::SetPower from %d to %d InitializeObjects \n" | |
| $a107 = "Device::SetPower from %d to %d m_StreamData = %x 44444\n" | |
| $a108 = "Device::SetPower from %d to %d m_StreamData = %x 66666\n" | |
| $a109 = "CCaptureDevice::SetPower" | |
| $a110 = "%s unsupported device state requested\n" | |
| $a111 = "Device::AVStrMiniDeviceQueryPower DeviceFrom(%d) DeviceTo(%d) SystemFrom(%d) SystemTo(%d) Action(%d)) m_PowerStatus=%d\n" | |
| $a112 = "LastVideoSource" | |
| $a113 = "SetVideoSourceRegValue(iVideoSource = %d) success\n" | |
| $a114 = "SetVideoSourceRegValue(): OpenDriverKey() failed\n" | |
| $a115 = "GetRegistryValue(): VideoSource failed\n" | |
| $a116 = "ReadVideoSourceRegValue(iVideoSource = %d) success\n" | |
| $a117 = "ReadVideoSourceRegValue(): OpenDriverKey() failed\n" | |
| $a118 = "LastVideoMirrorV" | |
| $a119 = "LastVideoMirrorH" | |
| $a120 = "SetVideoVHRegValue(mirror = %d) success\n" | |
| $a121 = "SetVideoVHRegValue(): OpenDriverKey() failed\n" | |
| $a122 = "ReadVideoVHRegValue(iVideoSource = %d) success\n" | |
| $a123 = "ReadVideoVHRegValue(): OpenDriverKey() failed\n" | |
| $a124 = "SetAudioDrvTypeRegValue(type = %d) success\n" | |
| $a125 = "SetAudioDrvTypeRegValue(): OpenDriverKey() failed\n" | |
| $a126 = "ReadAudioDrvTypeRegValue GetRegistryValue():failed\n" | |
| $a127 = "ReadAudioDrvTypeRegValue(AudioDrvType = %d) success\n" | |
| $a128 = "ReadAudioDrvTypeRegValue(): OpenDriverKey() failed\n" | |
| $a129 = "DispatchSetState:: Pin(%d), ToState(%d), FromState(%d)\n" | |
| $a130 = " VideoHeaderSize %d DataRangeSize %d invalid \n" | |
| $a131 = "== KSDATAFORMAT_SPECIFIER_VIDEOINFO2 \n" | |
| $a132 = "QFVideoCapturePin:: start #### \n" | |
| $a133 = "QFVideoCapturePin:: Delay after setvideosource(start)\n" | |
| $a134 = "QFVideoCapturePin:: Delay after setvideosource(stop)\n" | |
| $a135 = "QFVideoCapturePin:: PoRegisterSystemState(%d)\n" | |
| $a136 = "QFVideoCapturePin:: Stop #### \n" | |
| $a137 = "QFVideoCapturePin:: Stop #### 1111\n" | |
| $a138 = "QFVideoCapturePin:: PoUnregisterSystemState #### 2222\n" | |
| $a139 = "QFVideoCapturePin::CaptureVideoInfoHeader(m_nCh=%d, m_VideoInfoHeader => rcSource[%d,%d], rcTarget[%d,%d], AvgTimePerFrame=%d)\n" | |
| $a140 = "QFVideoCapturePin::Pin has readly existed.... Don't run now...\n" | |
| $a141 = "QFVideoCapturePin::DispatchCreate(), id=%d, No PIC!!!!!!! \n" | |
| $a142 = "QFVideoCapturePin::DispatchCreate(), PIC(0x%02X)!!!!!!! \n" | |
| $a143 = "FC VideoCapturePin: %d BUF_TYPE_RAW_VIDEO \n" | |
| $a144 = "@@@@@@@ FC VideoCapturePin: %d pitch uW %d uH %d \n" | |
| $a145 = "QFVideoCapturePin::DispatchCreate: m_nCh=%d, FrameSize=%d, %dx%d, Format=%x, AvgTimePerFrame=%d\n" | |
| $a146 = "QFVideoCapturePin::DispatchClose: m_nCh=%d\n" | |
| $a147 = "QFVideoCapturePin:CleanupReferences CH%d \n" | |
| $a148 = "QFVideoCapturePin(%d)::SetState:: ToState(%d), FromState(%d)\n" | |
| $a149 = " QF$$$$$$$$$$$$ m_AcquiredResources = TRUE; m_nCh %X $$$$$$$$$$$\n" | |
| $a150 = " QFV setstate $$$$$$???? m_HardwareState = %x XXXXXXXXXX m_nCh %X \n" | |
| $a151 = "HandleRawVideoSample::FC Pin(%d), StreamPointerCount(%I64d) < m_VideoInfoHeader_Size(%ld).....\n" | |
| $a152 = "QFVideoCapturePin:: Put video data!!!!!!!!!(time = %I64d)\n" | |
| $a153 = "QFVideoCapturePin::DispatchSetFormat(%x)\n" | |
| $a154 = "QFVideoCapturePin::DispatchSetFormat : width = %d, height = %d\n" | |
| $a155 = "QFVideoCapturePin::DispatchSetFormat: Invalid format size detected \n" | |
| $a156 = "QFVideoCapturePin::DispatchSetFormat: W(%d) H(%d) bit(%d) AvgTimePerFrame(%d) A\n" | |
| $a157 = "CAudioCapturePin:: SetParameter(m_nSamplesPerSec = %d, m_wBitsPerSample=%d)\n" | |
| $a158 = "CAudioCapturePin:: start #### \n" | |
| $a159 = "CAudioCapturePin:: PoRegisterSystemState(%d)\n" | |
| $a160 = "CAudioCapturePin:: Start(adoSrcType = %d)**********\n" | |
| $a161 = "CAudioCapturePin:: Stop #### \n" | |
| $a162 = "CAudioCapturePin:: PoUnregisterSystemState #### 2222\n" | |
| $a163 = "CAudioCapturePin:: Stop #### 22222\n" | |
| $a164 = "FC CAudioCapturePin: %x KSNAME_Audio1_Filter \n" | |
| $a165 = "FC CAudioCapturePin: %d BUF_TYPE_RAW_AUDIO \n" | |
| $a166 = "IntersectHandler::pAudioDataFormat(nSamplesPerSec=%d, wBitsPerSample=%d)\n" | |
| $a167 = "=== CAudioCapturePin::m_adoQueueBufSize(%d) ===\n" | |
| $a168 = "HandleRawAudioSample::FC Pin(%d)CH(%d),==== m_AudioChangedResetQueue(%d), m_ReadErrorResetQueue(%d) ====\n" | |
| $a169 = "HandleRawAudioSample:: Put audio data!!!!!!!!!(time = %I64d) bCheckClock=%d\n" | |
| $a170 = "CAudioCapturePin::ThreadProc ======== End\n" | |
| $a171 = "CAudioCapturePin::StartThread ======== StartThread\n" | |
| $a172 = "CAudioCapturePin::StopThread ======== StopThread\n" | |
| $a173 = "CComponentMgr(m_VdoDecoderType=%d)\n" | |
| $a174 = "CComponent_Open :: AllocEncodeTask() failed status(%d)\n" | |
| $a175 = "CComponent_Open :: AllocEncodeTask() hTask(%d)\n" | |
| $a176 = "CComponent_Close :: ReleaseTask() hTask(%d)\n" | |
| $a177 = "CComponent_PortOpen(COMPONENT_PORT_YUV_OUT):: hTask[%d] Type[%d] W[%d], H[%d]\n" | |
| $a178 = "CComponent_PortOpen(COMPONENT_PORT_PCM_OUT)::\n" | |
| $a179 = "CComponent_PortOpen(w=%d, H=%d) \n" | |
| $a180 = "COMPONENT_PORT_YUV_OUT:: W=%d, H=%d, Bit=%d, nDataType=%d\n" | |
| $a181 = "COMPONENT_PORT_PCM_OUT:: sample_cnt=%d, ch_num=%d\n" | |
| $a182 = "== InitDevice:: call StartStreaming (type = %0d) ==\n" | |
| $a183 = "== InitDevice:: call CComponent_SetParam (type = %0d, qpStatus = %d) ==\n" | |
| $a184 = "== InitDevice:: call CComponent_PortOpen (type = %0d, qpStatus = %d) ==\n" | |
| $a185 = "== InitDevice:: call CComponent_Acquire (type = %0d, qpStatus = %d) ==\n" | |
| $a186 = "== InitDevice:: call CComponent_Start (type = %0d, qpStatus = %d) ==\n" | |
| $a187 = "== CComponentMgr:: call StopStreaming (type = %0d) ==\n" | |
| $a188 = "== InitDevice:: call CComponent_Stop (type = %0d, qpStatus = %d) ==\n" | |
| $a189 = "== InitDevice:: call CComponent_PortClose (type = %0d, qpStatus = %d) ==\n" | |
| $a190 = "SetFrameRate (Set lOutFrameRate = %d, m_CurDeviceInfo.lInFrameRate = %d)\n" | |
| $a191 = "SetFrameRate (Set actual lOutFrameRate = %d)\n" | |
| $a192 = "SetVideoSource (productType = %d, vdoSrcType = %d, actualValue = %d)\n" | |
| $a193 = "SetVideoScanControl(videoSource = %d, scan_format = %d, src_mode = %d, sync_mode = %d, data_type = %d, ck_edge = %d)\n" | |
| $a194 = "SetVideoScanControl(videoSource = %d, start_pixel = %d, start_line = %d)\n" | |
| $a195 = "SetVideoSize(lWidth = %d, lHeight = %d)\n" | |
| $a196 = "SetAudioSource (%s)\n" | |
| $a197 = "GetSourceInfo:: vlost(%d), width(%d), height(%d) ==> Information Fail!!!!\n" | |
| $a198 = "== InitDevice:: call CComponent_Open (type = %0d, qpStatus = %d) ==\n" | |
| $a199 = "== InitDevice:: call CComponent_GetParam (type = %0d, qpStatus = %d) ==\n" | |
| $a200 = "== InitDevice:: call CComponent_Close (type = %0d, qpStatus = %d) ==\n" | |
| $a201 = "== InitDevice:: call GetColor (type = %0d, piSetValue=%d, qpStatus = %d) ==\n" | |
| $a202 = "== ProtectCheck:: (pProtectId = 0x%0x) ==\n" | |
| $a203 = "Auto-Detect (====== (ADI7441 or ADI7842) Start =======\n" | |
| $a204 = "Auto-Detect (====== (ADI7441 or ADI7842)::Read_bytes(%x) OK =======\n" | |
| $a205 = "Auto-Detect (====== (PVH-100 or PVH-100A) Start =======\n" | |
| $a206 = "Auto-Detect (====== (PVH-100 or PVH-100A)::Read_bytes(%x) OK =======\n" | |
| $a207 = "Auto-Detect (====== Actual video decoder chip(%d) ==========\n" | |
| $a208 = "Auto-Detect (====== Actual video decoder chip(%d) 2222==========\n" | |
| $w0 = "CSDVersion" wide | |
| $w1 = "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Windows" wide | |
| $w2 = "RtlIsNtDdiVersionAvailable" wide | |
| $w3 = "\\systemroot\\system32\\drivers\\qpvidfwpcie.bin" wide | |
| $w4 = "\\systemroot\\system32\\drivers\\qpaudfw.bin" wide | |
| $w5 = "\\systemroot\\system32\\drivers\\hdcombosignal.bin" wide | |
| $w6 = "\\systemroot\\system32\\drivers\\hdcombokey.bin" wide | |
| $w7 = "DriverData" wide | |
| $w8 = "\\Software\\HTCPTool\\CapturePower.dat\\GUI" wide | |
| $w9 = "HdcpDisable" wide | |
| $w10 = "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\" wide | |
| $w11 = "\\Registry\\User\\" wide | |
| $m0 = {A64463E548D1ADEAD6DF6D1A1596FD45B155B3E89AD45CCCEBFEBC6445A782D5934F4C02D2B39BAE4A9E59EDAF8F37C6FCC633621F1173F2C407DCE4315111B834EB9D604D0865A7166E973054CC31CFCFADB63A280842D2F0D7ED40BD1D350459B2ECDE34D8BE71B96CDE6D857A431AA62549CB590621E38D5FB096425389EF3FBC6AB5612E9BDA21E824C71244CBBD1FD021B4B354247F7FCB04BE3CC84F551AD831213FDB769C093C3B1E26D488CD9A9F64BB9585CC153EE29DA0FFF8B6287CD1DF56EF8A1C42A380799E517719E98BF4F6A6D20A8DDB5E238B57352E18196E541F5B3087847F60B8CC713B61C60A4090D47FD1F77E0FEA4C87D3371C8A81} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "InitializePMCCounters" | |
| $a1 = "PwrProf: %s, Power HAL Arbitration failed!\n" | |
| $a2 = "ReadPmcCounterData" | |
| $a3 = "PwrProf: %s, PMC counters are not accessible\n" | |
| $a4 = "FillSmuAccessData" | |
| $a5 = "PwrProf: %s, No counters for smu %d\n" | |
| $a6 = "PwrProf: %s, NULL != pTargetInfo\n" | |
| $a7 = "CollectNodeCounters" | |
| $a8 = "PwrProf: %s, InvalidpCoreCfg or pCoreCfg->m_pCoreBuffer->m_pBuffer\n" | |
| $a9 = "PwrProf: %s, thread %d bus %d\n\n" | |
| $a10 = "CollectBasicCounters" | |
| $a11 = "InitializeGenericCounterAccess" | |
| $a12 = "PwrProf: %s, DPC thread id %d\n" | |
| $a13 = "AuthenticAMD" | |
| $a14 = "GetThreadsPerCore" | |
| $a15 = "PwrProf: %s, Threads per core :%d\n\n" | |
| $a16 = "GetThreadsPerSocket" | |
| $a17 = "PwrProf: %s, Threads per socket :%d\n\n" | |
| $a18 = "GetSocketCount" | |
| $a19 = "PwrProf: %s, Socket Cnt : %d \n\n" | |
| $a20 = "GetPhyCoresPerSocket" | |
| $a21 = "PwrProf: %s, GetPhyCoresPerSocket : %d \n\n" | |
| $a22 = "GetTargetPhyCoreCnt" | |
| $a23 = "PwrProf: %s, GetTargetPhyCoreCnt : %d \n\n" | |
| $a24 = "GetZenSystemInfo" | |
| $a25 = "PwrProf: %s, SOCKET CORE %d\n\n" | |
| $a26 = "PwrProf: %s, bus %u , device %u , func %u , reg %u , address %u, data %u\n\n" | |
| $a27 = "PwrProf: %s, Executed DPC %d\n" | |
| $a28 = "PwrProf: %s, thread %d extended apic 0x%x node %d\n" | |
| $a29 = "PrepareApicList" | |
| $a30 = "PwrProf: %s, thread %d phy %d\n" | |
| $a31 = "PwrSetExtendedApicId" | |
| $a32 = "PwrProf: %s, PwrSetExtendedApicId\n" | |
| $a33 = "GetRequiredBufferLength" | |
| $a34 = "PwrProf: %s, Basic counter len %d\n" | |
| $a35 = "PwrProf: %s, Node counter len %d\n" | |
| $a36 = "WriteSampleData" | |
| $a37 = "PwrProf: %s, NULL pointer pCoreCfg %s m_pBuffer %s\n" | |
| $a38 = "PwrProf: %s, marker name %s id %d\n" | |
| $a39 = "SMU7ReadSmuIndirectMappingRegister" | |
| $a40 = "PwrProf: %s, SMU not Accessible. Filling 0\n" | |
| $a41 = "PwrProf: %s, Thread %d reg 0x%x\n" | |
| $a42 = "GetMemoryPoolBuffer" | |
| $a43 = "PwrProf: %s, Memory pool not created/ invalid size %d total buffer %d\n" | |
| $a44 = "PwrProf: %s, Memory Allocation Failed\n" | |
| $a45 = "ResetPoolMemory" | |
| $a46 = "PwrProf: %s, Trying to access Invalid memory\n" | |
| $a47 = "AcquirePCMCountersLock" | |
| $a48 = "PwrProf: %s, HAL Arbitration failed!\n" | |
| $a49 = "PwrSetTargetCoreDpc" | |
| $a50 = "PwrProf: %s, Invalid target core number!\n" | |
| $a51 = "DeferredCoreCb" | |
| $a52 = "DeferedCoreExecution" | |
| $a53 = "PwrProf: %s, Set thread %d\n" | |
| $a54 = "DriverEntry" | |
| $a55 = "PwrProf: %s, PCore is not loaded\n" | |
| $a56 = "PwrProf: %s, Couldn't create the device object\n" | |
| $a57 = "PwrProf: %s, Couldn't create the symbolic link\n" | |
| $a58 = "PwrProf: %s, failed memory allocation for pClientData\n" | |
| $a59 = "PwrProfUnload" | |
| $a60 = "PwrProf: %s, PWRPROF: Unloading!!\n" | |
| $a61 = "PwrProfCreate" | |
| $a62 = "PwrProf: %s, PWRPROF: Driver Opened Successfully!\n\n" | |
| $a63 = "PwrProf: %s, Driver Closed Successfully!!\n" | |
| $a64 = "HelpUnregisterClient" | |
| $a65 = "PwrProf: %s, Aborting the profile due to unexpected unregistration.\n" | |
| $a66 = "PwrProf: %s, STATUS_ACCESS_DENIED: pCoreCfg + cnt\n" | |
| $a67 = "PwrProf: %s, Invalid pCfg or pCfg->m_pcoreCfg.m_coreId > max core\n" | |
| $a68 = "PwrProf: %s, pcore config res: 0x%lx, client %ld, core %ld sampling period %d failed\n" | |
| $a69 = "HelpStopProfile" | |
| $a70 = "PwrProf: %s, HelpStopProfile exited, due to stopping already\n" | |
| $a71 = "PwrProfCleanup" | |
| $a72 = "PwrProf: %s, Cleanup called\n" | |
| $a73 = "PwrProf: %s, cleanup unregistering client %d\n" | |
| $a74 = "AllocateAndInitDataBuffers" | |
| $a75 = "PwrProf: %s, pCore memory allocation failed\n" | |
| $a76 = "PwrProf: %s, pCfg memory allocation failed cnt %d\n" | |
| $a77 = "PwrProf: %s, pCfg->m_smuCfg memory allocation failed\n" | |
| $a78 = "PwrProf: %s, m_pCoreBuffer memory allocation failed for core %d\n" | |
| $a79 = "PwrProf: %s, m_pBuffer memory allocation failed for core %d\n" | |
| $a80 = "PwrProf: %s, pCfg->m_pCoreBuffer->m_pBuffer memory allocation failed\n" | |
| $a81 = "PwrProf: %s, pCfg->m_pOsData memory allocation failed\n" | |
| $a82 = "CreateSharedBuffer" | |
| $a83 = "PwrProf: %s, calling env 0x%x\n" | |
| $a84 = "PwrProf: %s, ZwOpenSection success sharedBufferSize %d\n" | |
| $a85 = "PwrProf: %s, ZwMapViewOfSection success commit size 0x%x\n" | |
| $a86 = "PwrProf: %s, pMdl success\n" | |
| $a87 = "PwrProf: %s, pSharedBuffer getting\n" | |
| $a88 = "PwrProf: %s, pSharedBuffer success RtlSecureZeroMemory...\n" | |
| $a89 = "IoctlGetVersionHandler" | |
| $a90 = "PwrProf: %s, IoctlGetVersionHandler called\n" | |
| $a91 = "IoctlAddProfConfigsHandler" | |
| $a92 = "PwrProf: %s, IoctlAddProfConfigsHandler called\n" | |
| $a93 = "PwrProf: %s, pTargetInfo is NULL\n" | |
| $a94 = "PwrProf: %s, ERROR IoctlAddProfConfigsHandler, input wrong size\n" | |
| $a95 = "PwrProf: %s, ERROR IoctlAddProfConfigsHandler, output too small\n" | |
| $a96 = "PwrProf: %s, ERROR IoctlAddProfConfigsHandler, helpCheckClient failed\n" | |
| $a97 = "PwrProf: %s, ERROR Session pool creation failed\n" | |
| $a98 = "PwrProf: %s, ERROR CreateSharedBuffer failed\n" | |
| $a99 = "PwrProf: %s, ERROR AllocateAndInitDataBuffers failed\n" | |
| $a100 = "PwrProf: %s, Header bufffer memory allocation failed\n" | |
| $a101 = "PwrProf: %s, pCoreCfg memory access error\n" | |
| $a102 = "PwrProf: %s, thread id %d sampling count %d\n" | |
| $a103 = "PwrProf: %s, Invalid memory access pCoreCfg->m_pOsData\n" | |
| $a104 = "PwrProf: %s, Invalid memory access pCoreCfg->m_smuCfg\n" | |
| $a105 = "PwrProf: %s, Error: PROF_ERROR_SMU_CONGIGURATION\n" | |
| $a106 = "IoctlStartProfilerHandler" | |
| $a107 = "PwrProf: %s, IoctlStartProfilerHandler called\n" | |
| $a108 = "PwrProf: %s, IoctlStartProfilerHandler invalid Operation\n" | |
| $a109 = "IoctlPauseProfilerHandler" | |
| $a110 = "PwrProf: %s, IoctlPauseProfilerHandler called\n" | |
| $a111 = "PwrProf: %s, IoctlPauseProfilerHandler invalid Operation\n" | |
| $a112 = "PwrProf: %s, IGNORING PAUSE, already paused!!!\n" | |
| $a113 = "IoctlResumeProfilerHandler" | |
| $a114 = "PwrProf: %s, IoctlResumeProfilerHandler called\n" | |
| $a115 = "PwrProf: %s, IoctlResumeProfilerHandler invalid Operation\n" | |
| $a116 = "PwrProf: %s, IGNORING RESUME, already resumed!!!\n" | |
| $a117 = "IoctlGetFileHeaderBufferHandler" | |
| $a118 = "PwrProf: %s, IoctlGetFileHeaderBufferHandler called\n" | |
| $a119 = "PwrProf: %s, IoctlGetFileHeaderBufferHandler invalid Operation\n" | |
| $a120 = "PwrProf: %s, IoctlGetFileHeaderBufferHandler invalid buffer id\n" | |
| $a121 = "IoctlStopProfilerHandler" | |
| $a122 = "PwrProf: %s, IoctlStopProfilerHandler called\n" | |
| $a123 = "IoctlAccessMSR" | |
| $a124 = "PwrProf: %s, IoctlAccessMSR called\n" | |
| $a125 = "IoctlAccessMMIO" | |
| $a126 = "PwrProf: %s, IoctlAccessMMIO called\n" | |
| $a127 = "PwrProf: %s, Input buffer length missmatch expected %d, actual %d\n" | |
| $a128 = "PwrProf: %s, Output buffer length missmatch expected %d, actual %d\n" | |
| $a129 = "PwrProf: %s, ERROR: ObReferenceObjectByHandle failed: STATUS_OBJECT_TYPE_MISMATCH\n" | |
| $a130 = "PwrProf: %s, ERROR: ObReferenceObjectByHandle failed: STATUS_ACCESS_DENIED\n" | |
| $a131 = "PwrProf: %s, ERROR: ObReferenceObjectByHandle failed: STATUS_INVALID_HANDLE\n" | |
| $a132 = "PwrProf: %s, ERROR: ObReferenceObjectByHandle unknown %d\n" | |
| $a133 = "IoctlGetTargetSystemInfo" | |
| $a134 = "PwrProf: %s, IoctlGetTargetSystemInfo called\n" | |
| $a135 = "PwrProf: %s, ERROR:STATUS_INFO_LENGTH_MISMATCH InputBufferLength %d sizeof(TARGET_SYSTEM_INFO) %d\n" | |
| $a136 = "PwrProf: %s, ERROR:STATUS_BUFFER_TOO_SMALL OutputBufferLength %d sizeof(TARGET_SYSTEM_INFO) %d\n" | |
| $a137 = "PwrProf: %s, Target System info is NULL\n" | |
| $a138 = "PwrProf: %s, pSystemInfo == NULL\n" | |
| $a139 = "IoctlSetOutputFileHandler" | |
| $a140 = "PwrProf: %s, IoctlSetOutputFileHandler called\n" | |
| $a141 = "PwrProf: %s, Provided string size doesn't match actual string length!\n" | |
| $a142 = "PowerProf::WriteCreateProcessInfo" | |
| $a143 = "PwrProf: %s, Failed to write record to TI file.\n" | |
| $a144 = "PowerProf::WriteCreateThreadInfo" | |
| $w0 = "\\Device\\AMDPowerProfiler0" wide | |
| $w1 = "\\??\\AMDPowerProfiler0" wide | |
| $w2 = "\\BaseNamedObjects\\Global\\AMDPROFILER_PWRPROF_SHARED_OBJ" wide | |
| $m0 = {C2E6618467C58AF50D08A445CA636B51D73A1142BD0A75754D94B40C50B52610FE1DC86F916B0C96E71A5C48EF44E5BF9B61CD1591625AB8FF670B9C63FD366A81FA29F8DD2B7085DE0218F3786DBC7DF9C76D093DBE6A7687E98ABDF8845D1E76C9E4C676763A53D1D1D35A368FC6A3E12F1B3AB761D673EC4E6D338A7C5D452D4BB150E6413A375686DC93238DF75025E864E6DDD38F2F57B58720EB0E8E2CD523DAF44D7846E3038331294A5C0C318A4A8C88C5F7305AF914AF155F6C434909FD262353F68D63E81AAB5BB11D30C29B6982B4DBFC5654BC1FA187ABBE7A5B0A202F4B09C995A78DB2FAD6638B4EA5721CEE9F7A0173F819D6FE0D4984BD01} | |
| $m1 = {BDD032EE4BCD8F7FDDA9BA8299C539542857B6234AC40E07453351107DD0F97D4D687EE7B6A0F48DB388E497BF63219098BF13BC57D3C3E17E08D66A140038F72E1E3BEECCA6F63259FE5F653FE09BEBE34647061A557E0B277EC0A2F5A0E0DE223F0EFF7E95FBF3A3BA223E18AC11E4F099036D3B857C09D3EE5DC89A0B54E3A809716BE0CF22100F75CF71724E0AADDF403A5CB751E1A17914C64D2423305DBCEC3C606AAC2F07CCFDF0EA47D988505EFD666E56612729898451E682E74650FD942A2CA7E4753EBA980F847F9F3114D6ADD5F264CB7B1E05D084197217F11706EF3DCDD64DEF0642FDA2532A4F851DC41D3CAFCFDAAC10F5DDACACE956FF93} | |
| $m2 = {B17FFCF08FAA249C2F5C8925C35964A28BCDD34AA94A9EE17D1BE05E6D80E226520DB061003BA85EDA64020D18E53A1DE5EF93047A9EAEB213129BCE98D4D9714496BF210AD7B96682902505E956E570BE4DD0A7EA60A5589B962333207E611390FA81F430141B33BD1B417EE6665BC773C44E7ABB863CAB6C7801ABAD4017B860B78F834C9D00B06F0EC93969E59412A821E29B30B35C297C0753AD60D250AE596F752F4356566521AA9CF773B5364541F8FF3159B2163FF8C2D5D2078B26A66ED10991E66652FCD3BF64F534BF6B212688DE94FE79E8DCCEB48C8EDA6CAE399971360565AF30184F052C3D769EB801C871A1EED1CF8AA5007B2544B1D17917} | |
| $m3 = {80126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F} | |
| $m4 = {86228D32857A189F49F0962F63081E2DDC7C9F14CFE326B625662940865446743162C510EDB28727A699CB9530C056F5A475C6A90E5062A55191106AE04B62AEFDF0F818ACA7FFEE2E3320FA0C1989A86C7BAD00C361A1DC69656D1F6E2796D7975186A6F427E57C6A8B951E5B60D57ED716929C002F68F797ED6A72BE383B63DE8FBF6E4C415D12200859E839CD8FD2D6CF06B45705B64EA13E576B1F98BCC462D61B0B8DC7661B4A9F9D81C47240B5E25FEF0B45FFA3CE17A62D55B0B7B0BC546A9DBC8D5653C6F0BA7950492CF703B9FE2F6535F222EA2C07AF46D9F9461CDC8C7C7128F3FEA7C614DD55916E8A110DDF0624957D0FA7A17C3ADA863561D3} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Unknown" | |
| $a1 = "Phoenix - Award" | |
| $a2 = "Phoenix-Award" | |
| $w0 = "\\DosDevices\\BS_Def" wide | |
| $w1 = "\\Device\\BS_Def" wide | |
| $w2 = "\\DosDevices\\BS_Def" wide | |
| $w3 = "\\Device\\PhysicalMemory" wide | |
| $w4 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m1 = {B2502848DDD3687A84184466755D7EC4B89F6326FF3D439C7C113810255573D9752769FD4EB9205CD30AF9A01B2AED55562161D81EDBE4BC336BC7EFDDA337658E1B930CB6531E5C7C66355F058A45FE764EDF5380A281209DAE885CA208F7E530F9EE22374C420ACEDFC61FC4D655E9813FB552A32CAA017AF2A2AA8D35FE9FE65D6A059F3D6BE3BF96C0FECC60F940E707A044EB81516EA52AF2B68A1028ED8FDC06A086509A7B4A080D301DCA109E6BF7E958AE04A94099B228E88F16AC3CE3536F4BD3359DB56F641DB3962CBB3DE779EB6D7AF916E626ADAFEF9953B7402C95B879AAFED452AB29747E42EC391EA26A16E659BB2468D80080431087806B} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {C686A3DA1EBDA81576729DC01D9D5EC87BC73D2BDF5B78872FA0E76CE1B9F0EF6CB1439A11B8FB0707792B7C5CFA7586AFC259297381B5C1CEFEFE95218C503710AD69A389F4FF32496303388E53288A6A86421FB946670662FB1B1548E17946BE9AA77A1391C4DA15412F46D188DF37543B7E1C6C3899E7CB4DADE75C623E81} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\AsrDrv102" wide | |
| $w1 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $w2 = ".Translated" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D67A74E9DC9685FA0F266297B09723664D0C8D9D1A38E749A1AD896A90F7BA01ADBF6F0FFC9378EFD1D4E17E4B20A22D1BA4D28F47F4A061D1C5CB031064E94A6102D15ADE1E9765E5F92C8E400C45AB248CA68C120CCCAEFB7FFC28143ACDCB257079C7B5BF6FCFC1C33AA9B01A0E7011AF97E808734152C4B3B9BD5B8028EDE16E5D2E17432C0EDB75C750949526DE6D807BAA0EFA96ABB5B4194F8EF6AE01D0199CAC40AFB99A3D8C6982DC560FDCBD1F7919C3A2385385D03A9B5FAAB3D4AE22C5DDC69268E2DCA124D1822E4D116B20E67325796EB1DB21CF23FC526E882B2026622228F0223B0DBA1DEF0358A3AB44E92EEC6F5B129F5327F290EDBADB} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {8AFDBD43F03DC8551FF3598AF05AB4DC93D164154A8A84A52DCB26F8E04538A3B901C54F130859D03154CACD9061A33E2CF24D155CD4EEC36A229748D10643340999C9CF30C49F44FD569CEECCE783B981CDC8DA0B1C1248FF6FA2ECC475CB0970CF51E5BB8B9FAABD78067D95D66181F6DA53C7AC9DB300BA1ED4BE40620999833D45DD4D659504CCFCFAC75B7AE22E0C3D55355735488989F2B956A54B501B1CDE9890BDF32EDC88A9F1759BA83EA205D941B5EF77AD17C05AF5A3DB4D9FD1C4B17B83B5EE10942B2E72AEBEEF95299C5262C52C6D22F77D447A105F6393694DD97DB29AB14EB559BFFF85FBBDACECE12BA6E32C2CE8D96EDB5F4D1778CB53} | |
| $m1 = {91E85492D20A56B1AC0D24DDC5CF446774992B37A37D23700071BC53DFC4FA2A128F4B7F1056BD9F7072B7617FC94B0F17A73DE3B00461EEFF1197C7F4863E0AFA3E5CF993E6347AD9146BE79CB385A0827A76AF7190D7ECFD0DFA9C6CFADFB082F4147EF9BEC4A62F4F7F997FB5FC674372BD0C00D689EB6B2CD3ED8F981C14AB7EE5E36EFCD8A8E49224DA436B62B855FDEAC1BC6CB68BF30E8D9AE49B6C6999F878483045D5ADE10D3C4560FC32965127BC67C3CA2EB66BEA46C7C720A0B11F65DE4808BAA44EA9F283463784EBE8CC814843674E722A9B5CBD4C1B288A5C227BB4AB98D9EEE05183C309464E6D3E99FA9517DA7C3357413C8D51ED0BB65CAF2C631ADF57C83FBCE95DC49BAF4599E2A35A24B4BAA9563DCF6FAAFF4958BEF0A8FFF4B8ADE937FBBAB8F40B3AF9E843421E89D884CB13F1D9BBE18960B88C2856AC141D9C0AE771EBCF0EDD3DA996A148BD3CF7AFB50D224CC01181EC563BF6D3A2E25BB7B204225295809369E88E4C65F191032D707402EA8B671529695202BBD7DF506A5546BFA0A328617F70D0C3A2AA2C21AA47CE289C064576BF821827B4D5AEB4CB50E66BF44C867130E9A6DF1686E0D8FF40DDFBD042887FA3333A2E5C1E41118163CE18716B2BECA68AB7315C3A6A47E0C37959D6201AAFF26A98AA72BC574AD24B9DBB10FCB04C41E5ED1D3D5E289D9CCCBFB351DAA747E58453} | |
| $m2 = {BAC358A22AFA57BD83AA0D7E05FFE893EF2804B704D93DC2BD9F628870C93FC174D849F2EA8B3E7DB918A25320C0743F9FE244082D5F50D702E7DFA1D3BFCD60D85640D65C82898E9C4883FCB1477C75F9C346532802AB8F376A3CF6A4B719460002821497FFDC084762C5385ACB2ED24E22187C2C41231532C313D9E32F3FFB5B6350140F7A7EBBA0BF5418EA2CF50E61398CB599BCA6B89B9D1925166667CD561497F8E54700A2D57873C0993A31BD6329345973F20FA8C6595C8666C7DF09C32BF8EF0419BE8CDF17C115AED19C01E16BC3BD1F944BAC1EDF384730769ED79D29F61B33D665F30E8BD4BE39F26DBC19E7044D7C20C8347F57784066C98AB9} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSISMB_CC" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSISMB_CC" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\AsrIbDrv" wide | |
| $w1 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $w2 = ".Translated" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {EFF813CA43D195BD645B01FC099DD99A44C4AFB0CB5D4E521ACDC1B74CEED891C9A2EA371DE16EC9A62D3988E018C0D22A2D6BF72C440B9C6BA277D27158975F136FAE88BE5FAF7B7BEDF49B61EA77086968FBAE43CFBAF93230DE4303D86F561572CD2A92143986595D8C347A2E6738F52EA1CA9691884BE506F8B0CFD6418BD0FAB6BB260FBB42947D184D6D38D6062EB24FCBF831355269660AB355AA9D94A12311F1B2C59148D9B80A3BCAC20D7018D3B1711D8AD8CAF44E82558A47D9C50CFDFC422C729A1E96237A2E10CC3E69702985FEEA04BF3AC9C289FEC334A6281C773B6FD090C1ED5D5514DB91A99654E82BC4508B10FE50EA23DB0E8E798211} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $w1 = "\\??\\genericdrv" wide | |
| $w2 = "\\Device\\genericdrv" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {A59C1E2F02921C8BBC0BD93636E1CF671D4F4B007C7589B6863105C3C25FC3747064F8491F5DCDFA0185045451ED621CBADB96C0F4C783EC9E3B6F51BE55B3E2F3BA6FC5CF99374E86D71D956912F7061F37FB6369DE595EEA039EE46C1C5BCDFB1E946D91A788092704C0D29DABC1C400B1954EBD1D4C41523E7C0AF01572858CBA57C8205326FD46537849A8E3BC81DEEFA7888734FE312ECDD93B634EDC1A7A8E7B91E6E1314601650CB33FCE1731F08D0D8CC81592F3BD4447049C5F0FF687C769B0211FA9567F1C3C129E1815D95989C36C9FF88B11AC846DCECBEAB505261BFAB9A38905C1A61FA65A2B54534272E380D34A69893A358358CAB626CFF7} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Irp->CurrentLocation <= Irp->StackCount + 1" | |
| $a1 = "Irp->CurrentLocation > 0" | |
| $a2 = "(InvokeOnSuccess || InvokeOnError || InvokeOnCancel) ? (CompletionRoutine != NULL) : TRUE" | |
| $a3 = "d:\\dev\\dev\\pt64\\kevp64\\common.h" | |
| $a4 = "gPreviousModeOffset" | |
| $a5 = "[kEvP64]Windows %d.%d, SP%d.%d, build %d\n" | |
| $a6 = "[kEvP64]Initialized version-specific data for Windows 7 SP%d\n" | |
| $a7 = "[kEvP64]Initialized version-specific data for Windows 8 SP%d\n" | |
| $a8 = "[kEvP64]Initialized version-specific data for Windows 8.1 SP%d\n" | |
| $a9 = "[kEvP64] ProcessImageFileName: ProcessImageFileName returned 0x%X.\n" | |
| $a10 = "[kEvP64] ObOpenObjectByPointer= 0x%X.\n" | |
| $a11 = "[kEvP64] FltEnumerateFilters=0x%08X\n" | |
| $a12 = "[kEvP64] ntStatus=%x\n" | |
| $a13 = "[kEvP] ntStatus=0x%08X\n" | |
| $a14 = "[kEvP64]IoInitializeTimer = %llx \r\n" | |
| $a15 = "[kEvP64]nt!IopTimerQueueHead = %08I64x \r\n" | |
| $a16 = "[kEvP64] GetRegFullPath ObQueryNameString Exception!" | |
| $a17 = "[kEvP64]ZwOpenDirectoryObject Error = %llx\n" | |
| $a18 = "[kEvP64]ZwQueryDirectoryObject Error = %llx\n" | |
| $a19 = "[kEvP64]ObReferenceObjectByName error %ws, %llx\n" | |
| $a20 = "[kEvP64] KePrintTimers: Invalid address\n" | |
| $a21 = "CreateFile exception! error=%x\n" | |
| $a22 = "CreateFile error=%x\n" | |
| $a23 = "SetInformationFile1 error=%x\n" | |
| $a24 = "SetInformationFile2 error=%x\n" | |
| $a25 = "[kEvP]IoCreateFile = %ws,%x! \r\n" | |
| $a26 = "[kEvP64]STATUS_BUFFER_TOO_SMALL = %d, %d\n" | |
| $a27 = "[kEvP64] STATUS_BUFFER_TOO_SMALL\n" | |
| $a28 = "KeAddSystemServiceTable" | |
| $a29 = "System" | |
| $a30 = "[kEvP64] KeInsertQueueApc Error \n" | |
| $a31 = "[kEvP64] Unloading...\r\n" | |
| $a32 = "[kEvP64] Unloaded Success\r\n" | |
| $a33 = "explorer.exe" | |
| $a34 = "EXCEPTION_EXECUTE_HANDLER = %x\n" | |
| $a35 = "[kEvP64] Unknown IOCTL: 0x%X (%04X,%04X)\r\n" | |
| $w0 = "PsLookupProcessByProcessId" wide | |
| $w1 = "\\Device\\Harddisk0\\DR0" wide | |
| $w2 = "ExSystemTimeToLocalTime" wide | |
| $w3 = "\\Driver\\%ws" wide | |
| $w4 = "IoInitializeTimer" wide | |
| $w5 = "System" wide | |
| $w6 = "\\Driver" wide | |
| $w7 = "\\FileSystem" wide | |
| $w8 = "\\FileSystem\\Filters" wide | |
| $w9 = "\\FileSystem\\%ws" wide | |
| $w10 = "\\FileSystem\\Filters\\%ws" wide | |
| $w11 = "\\ObjectTypes" wide | |
| $w12 = "\\ObjectTypes\\%ws" wide | |
| $w13 = "\\DosDevices\\*:\\" wide | |
| $w14 = "\\device\\nsi" wide | |
| $w15 = "\\Driver\\" wide | |
| $w16 = "\\FileSystem\\" wide | |
| $w17 = "\\DosDevices\\kEvP64" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AB9EE012C6142190AA78BA9D534691767DB5CBE3556D383DDC3EB0E5B0A8EDF16CEDDD9A0503822E56FC33C387E58A94685396F3006F1EE3F1C3EA3DC7CBD31F3C9F8B8010099B12CFA72D0FD7BC4257DC042ADF13957F82DFE408962F129F84D2467B187A5458200B82BCA450C467B26658297F7449904D493E3D4356D289F55B2F0CE68F363EC687D44E8A40177A4DB8BBE9E563C62FD3F4176FFCC6CF55F95C73A9BF9774C9A56D186976D7AEFF7C5706917B951D6DCD5418B3F0AC5016B42E5495D12E0AD507622CD2ABAB2E561383512A433DD0DCF23F824987EDE291819F679A757D75144F135EBE9B4D6AEC12A3A53DA38C5E846B76DC5CFEBD925051} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "================Default==============" | |
| $a1 = "DisableKB" | |
| $a2 = "EnableKB" | |
| $a3 = "Irp->CurrentLocation <= Irp->StackCount + 1" | |
| $a4 = "DRIVER7_DispatchCreateClose_enter!" | |
| $a5 = "Driver7: IRP_MJ_CREATE\n" | |
| $a6 = "Driver7: IRP_MJ_CLOSE\n" | |
| $a7 = "DRIVER7_DispatchCreateClose_exit!" | |
| $a8 = "DispatchDeviceControl_enter!" | |
| $a9 = "IOCTL_Version = 2.5.0" | |
| $a10 = "inLength = %d" | |
| $a11 = "outLength = %d" | |
| $a12 = "IOCTL_DRIVER7_OPERATION_OPERATION!" | |
| $a13 = "IOCTL_Win7Ready_OPERATION" | |
| $a14 = "Read Length = %d" | |
| $a15 = "Write Length = %d" | |
| $a16 = "IOCTL_CH1RB_COMMAND" | |
| $a17 = "IOCTL_CH1WB_COMMAND" | |
| $a18 = "Outport 0x%08X = 0x%08X" | |
| $a19 = "Inport 0x%08X = 0x%08X" | |
| $a20 = "Outport 0x%04X = 0x%04X" | |
| $a21 = "Inport 0x%04X = 0x%04X" | |
| $a22 = "Outport 0x%04X = 0x%02X" | |
| $a23 = "Inport 0x%04X = 0x%02X" | |
| $a24 = "Inport 0x%08X = 0x%08X" | |
| $a25 = "Masked32 = 0x%08X" | |
| $a26 = "IBuffer create NULL = %d" | |
| $a27 = "IOCTL_ReadPCI Success!!" | |
| $a28 = "(MAPMEM) Buffer size error\n" | |
| $a29 = "Status_Success!!" | |
| $a30 = "Status_UnSuccess!!" | |
| $a31 = "(UMMAPMEM) Insufficient input or output buffer\n" | |
| $a32 = "IOCTL_CPUCommand" | |
| $a33 = "IOCTL_CPUCommand End" | |
| $a34 = "IOCTL_ReadPCIn Success!!!!" | |
| $a35 = "IOCTL_ReadPCIn Success!!" | |
| $a36 = "New a phy memory : Size =%08X" | |
| $a37 = "Phy address = 0x%016X" | |
| $a38 = "IOCTL_NewAMemspace Success!!" | |
| $a39 = "Dispatch Device = 0x%x" | |
| $a40 = "Dispatch Access = 0x%x" | |
| $a41 = "Dispatch Method = 0x%x" | |
| $a42 = "Dispatch Function = 0x%x" | |
| $a43 = "DispatchDeviceControl_exit!" | |
| $a44 = "Into MapPhysToLinear\n" | |
| $a45 = "(MAPMEM) interfaceType=%x\n" | |
| $a46 = "(MAPMEM) busNumber=%x\n" | |
| $a47 = "(MAPMEM) physicalAddress=%x\n" | |
| $a48 = "(MAPMEM) length=%x\n" | |
| $a49 = "(MAPMEM) ObReferenceObjectByHandle failed\n" | |
| $a50 = "(MAPMEM) HalTranslatephysicalAddress failed\n" | |
| $a51 = "(MAPMEM) physicalAddressbase=%8.8x %8.8x\n" | |
| $a52 = "(MAPMEM) physicalAddressend=%8.8x %8.8x\n" | |
| $a53 = "(MAPMEM) mappedLength.LowPart == 0\n" | |
| $a54 = "(MAPMEM) ZwMapViewOfSection failed:%x\n" | |
| $a55 = "(MAPMEM) physicalMemoryHandle=%x\n" | |
| $a56 = "(MAPMEM) virtualAddress=%x %x\n" | |
| $a57 = "(MAPMEM) memory successfully mapped\n" | |
| $a58 = "Exit MapPhysToLinear\n" | |
| $a59 = "Into UnMapPhysToLinear\n" | |
| $a60 = "Exit UnMapPhysToLinear\n" | |
| $a61 = "IBuffer Address = 0x%08X" | |
| $a62 = "(MAPMEM) MmGetPhysicalAddress failed\n" | |
| $a63 = "IBuffer PHYAddress = 0x%016X" | |
| $a64 = "SMI_P->SMI_Command = 0x%02X" | |
| $a65 = "IOCTL_SMI Success!!" | |
| $a66 = "ASUSTeK Computer Inc." | |
| $a67 = "ASUSTeK COMPUTER INC." | |
| $a68 = "CheckAsusSig return %d" | |
| $a69 = "ExAllocatePoolWithTag failed" | |
| $a70 = "GetAsusString" | |
| $a71 = "GetAsusStringFseg return TRUE" | |
| $a72 = "DRIVER7_Read_enter!" | |
| $a73 = "Handle = 0x%x" | |
| $a74 = "Linear Addr = 0x%x" | |
| $a75 = "STATUS_INVALID_PARAMETER" | |
| $a76 = "DRIVER7_Read_exit!" | |
| $a77 = "DRIVER7_Write_enter!" | |
| $a78 = "DRIVER7_Write_exit!" | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D230341C22141C55DBE3B5AD1B86BD0252E9AD3EA1E0B632961B925F4DBD74C7E2D7CEE8F8CB20B4D2CC021134397408C28CF916550555F516E00B5D382C569A3FEF1757AC8DD7CF1CF57E355054BC48FC251E4BAA8EF59E666319C2F537DE1BD36E2B2D67FC9C591AF77772304DBE392956DA2061D77BD916656903E01E0446E9A17D3571704223E5268EEF7302230ACB91AC667D6C598387B62A250289085BCAC88E73AE8D69C2A22AA5893CE9862596D12CB6F9444D2C845272D30620AF1EAC4B66531E8D95FF8CFF56093EA62D9A8AB82DC5C274B874F52DE4CFADA77D5BD9F086AD281BFA205F4326A97967D38292E75A55532228BBF4E7F86A6A7F88B3} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\PhyMem" wide | |
| $w1 = "\\DosDevices\\PhyMem" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D8D27FCC0552D15C3986903D9E05D25CE52D4F9AA84DCEDF21EE3A2FCBDB5BF42510800E98E97FCD8CAC5FD2C6060892A2BDE2F00DEFD3164294890EA94D4A13E6D4EF8CB99C85842B2580C89318BB991958938F0CC8CF4F2A8CE68FEC80AD5756D63BA7EA0A804E709F00AEB91A484EE9B952F39722CAB2AB7147B135DE910A3481219E243274A185508716F8FC4315039712B0581E271EA9A1D2B2B8EE53AD85C54F5F60DEAF3351289E02F197E1CCE0E0560642C3CDDD3316D0311F30DCEAE880011D6FAFD04365084A90C5FB7DDFCF13194FE72C813116730B176AEC88E31D7D70967B1F710FE15A1BC680ACFF7814FB596706C31FA8735B75B121951A77} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "PanMonFlt!CreateListeYap: Path = %wZ \n" | |
| $a1 = "PanMonFlt!CreateListeYap: CreateListeYap..\n" | |
| $m0 = {94EF65F8B5579FA0530D3406EB091FB747186ACBF05BE4FF27A534D1F7891ABF9EB1CD12416E66D481A0858B645A462F99A08D77B1E2BC5CDD22D76A67D0BBE8CA74DE8B4F0DB052E5905BEB470EF1E79F9C0B90653E17963045726D39A11736CAB9A08C1B4F0819F68131AD6116A462E6B4409EC3FCFB95F6FBB52E958198E0EFC5EBD802597877F7AAE3526B509129C5FCF7CD9365D2606122F206FB32DD1651FA0EFD8A30F01709A7BBF304AEAB90E76CDF7AA9F4EFC462275F6F996D3874AA118BDADFC7144CE985B2ECC27D4A268FE756BAA6E0CF92538074F403EC68B260BC842000831BA1EEB47405C1298E62D047B1FAF053CC18F92E3BF9707EB425} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {B017AEA2D3B60430561E580FB1ED55A4D654CBD8F6733AEC5D5EAB25FD36A5FA84C36140C546B559523B42A22E5F136210A95BE673D69225B17D23E306B3873A0E43F0D7008953A2113152286E5D40723CF20977A7499297D46C90A076A7FDB8DCB39DF207602C4F5898006BD31554E0FADDFF802C5F18A698FFD4ABECA14559B22E6F625DE0D919AC8B579CA8262BD917A510D247081A702C338B7F68802AB5A15D6BDD8D02022903AA7C37BBBB294E3D5393B3A6FA8FD25893154CB92DAB80A3A325FBAFF70864B07A440F5C10D75F6137AA4E6BD3D253259D8273FA2CF972B0A919392A50FAA9D03C3ACAE85BEFF55F51F4F90AD99735DE6A85E6230442AF} | |
| $m3 = {E8551803EE0203C0E49106851D4B105ED1FCC6FD8C261DFA95C32B7001B841A9102F472CD10210508E3E399AF82C7BD488EC127B436D9C94692DF18D6DF48D6803F3DF7E55B8ED517DE7C6E7D50945F229115B2899768DA607BE26987265BAE0A51107D13A70C26C7A338FAEB4E2DB7E8C4E481299CB1B6147CDB87C2255D774C381DD345E62B52FF3023EC788F9980AE773CB87EDC4331F6EA51FF03C1DF97FB1EFF3E89F11B8FBF107DF21F7E1E2E0EA3078008034B3D9236026D4FA873DC802AC7820EAFE879A51E7CF5BB526FB77F8CA80293D922F9146D0567FC93584B4A0BC9D51DE2E7043360F730E4A73A04E4F01C579F9F19AC33433BB00AD558387} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "NCPL -NcxFreeMemory- Called with invalid memory pointer\n" | |
| $a1 = "NCPL -NcxFreeMemory- Buffer memory has been overrun\n" | |
| $a2 = "NCPL -NcxFreeMemory- Releasing unowned buffer\n" | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| $m3 = {CFA241F029B618700FC132998826EC17AB89DBB413AD918AEF6BFFDA5170082EE482DD299F64B79AB133740CFA99446740011EB82CA6951AF405E993AE13BD1FCBE73B2BDD27A21B313D162C56FA3E90C8EF025BEE619AFF6E64462D8930DC96DDB85C1648B5CDCE1485F8440B1C240AC888B4406491888732C3C5B14692422B} | |
| $m4 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "\\Device\\" | |
| $w1 = "\\DosDevices\\ElbyCDIO" wide | |
| $w2 = "\\Device\\ElbyCDIO" wide | |
| $w3 = "\\DosDevices\\ElbyCDIO" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {DCE7F51F49C0030EBBAD48781E74B8760C394B3B8DBC9FA181E14311A97B0B8DC4D7CDB5FCC41FE5A8EBF6AD0EAC1FEF8FA327AB29EC138BB218F3F7019BFFCE3DC676ADC8D5014891EF0F0F96A085DDF0A4F76B2EAE25BD697D3ACB88442BE80A14355CD383F95C83450D3E16E2C9AEF7C9830D5FCC6BAB7F2DDEFA39952F7F} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "PanMonFlt!CreateListeYap: CreateListeYap..\n" | |
| $a1 = "PanMonFlt!CreateListeYap: Path = %wZ \n" | |
| $m0 = {94EF65F8B5579FA0530D3406EB091FB747186ACBF05BE4FF27A534D1F7891ABF9EB1CD12416E66D481A0858B645A462F99A08D77B1E2BC5CDD22D76A67D0BBE8CA74DE8B4F0DB052E5905BEB470EF1E79F9C0B90653E17963045726D39A11736CAB9A08C1B4F0819F68131AD6116A462E6B4409EC3FCFB95F6FBB52E958198E0EFC5EBD802597877F7AAE3526B509129C5FCF7CD9365D2606122F206FB32DD1651FA0EFD8A30F01709A7BBF304AEAB90E76CDF7AA9F4EFC462275F6F996D3874AA118BDADFC7144CE985B2ECC27D4A268FE756BAA6E0CF92538074F403EC68B260BC842000831BA1EEB47405C1298E62D047B1FAF053CC18F92E3BF9707EB425} | |
| $m1 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m2 = {B017AEA2D3B60430561E580FB1ED55A4D654CBD8F6733AEC5D5EAB25FD36A5FA84C36140C546B559523B42A22E5F136210A95BE673D69225B17D23E306B3873A0E43F0D7008953A2113152286E5D40723CF20977A7499297D46C90A076A7FDB8DCB39DF207602C4F5898006BD31554E0FADDFF802C5F18A698FFD4ABECA14559B22E6F625DE0D919AC8B579CA8262BD917A510D247081A702C338B7F68802AB5A15D6BDD8D02022903AA7C37BBBB294E3D5393B3A6FA8FD25893154CB92DAB80A3A325FBAFF70864B07A440F5C10D75F6137AA4E6BD3D253259D8273FA2CF972B0A919392A50FAA9D03C3ACAE85BEFF55F51F4F90AD99735DE6A85E6230442AF} | |
| $m3 = {E8551803EE0203C0E49106851D4B105ED1FCC6FD8C261DFA95C32B7001B841A9102F472CD10210508E3E399AF82C7BD488EC127B436D9C94692DF18D6DF48D6803F3DF7E55B8ED517DE7C6E7D50945F229115B2899768DA607BE26987265BAE0A51107D13A70C26C7A338FAEB4E2DB7E8C4E481299CB1B6147CDB87C2255D774C381DD345E62B52FF3023EC788F9980AE773CB87EDC4331F6EA51FF03C1DF97FB1EFF3E89F11B8FBF107DF21F7E1E2E0EA3078008034B3D9236026D4FA873DC802AC7820EAFE879A51E7CF5BB526FB77F8CA80293D922F9146D0567FC93584B4A0BC9D51DE2E7043360F730E4A73A04E4F01C579F9F19AC33433BB00AD558387} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\SPEEDFAN" wide | |
| $w1 = "\\DosDevices\\Global\\SPEEDFAN" wide | |
| $w2 = "\\Device\\speedfan" wide | |
| $m0 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m1 = {B2502848DDD3687A84184466755D7EC4B89F6326FF3D439C7C113810255573D9752769FD4EB9205CD30AF9A01B2AED55562161D81EDBE4BC336BC7EFDDA337658E1B930CB6531E5C7C66355F058A45FE764EDF5380A281209DAE885CA208F7E530F9EE22374C420ACEDFC61FC4D655E9813FB552A32CAA017AF2A2AA8D35FE9FE65D6A059F3D6BE3BF96C0FECC60F940E707A044EB81516EA52AF2B68A1028ED8FDC06A086509A7B4A080D301DCA109E6BF7E958AE04A94099B228E88F16AC3CE3536F4BD3359DB56F641DB3962CBB3DE779EB6D7AF916E626ADAFEF9953B7402C95B879AAFED452AB29747E42EC391EA26A16E659BB2468D80080431087806B} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {CF5A6E999A141952809A757C800F134D5125CD6EEFF33151ED5FB8D8E3B3E13A5FD8F8B84B8E26EEC0FC21FD65551BAF6ACDB0045B4BFD09098DC9333835625A8D81F9C4EEBC833ABB53369B666CCEB9823D02AFF2DC3FA15346F0D56F4D68040B51AAD5D4E94B1AF16574F452AF70F1A94795B87ECF553F8F1B66B5277EB463} | |
| $m4 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\WinRing0_1_0_1" wide | |
| $w1 = "\\DosDevices\\WinRing0_1_0_1" wide | |
| $m0 = {C6BCD918CF65D1873C8AFC9A0942B968C9F0BD6807B070611D73DFACDDF6BEDC36127E5C6079BE65640F2C12A65CB053C97A98011588C787BD81902DAD544B4C0CDA4DCF87A1D155CEC97BE3ACCA492FBB2222210D6ECE8421DD6B0A3F7FA02952C441029D8FBD2392A35BAB14FDFB5C7A6B9CC71AE6E4D6C9FCECE71D916EA62B6337EE7BF76FBD6137AD7E690A2FC6EB34BB3E09E8A9806DEC1A9D897A93336BE05307278ACEC04DA7E20A92FC5FF15716E863E7D251F50D8E892DB6C291C04592488087522D84F46D7201E5CF9BD831FE2BA6AAA5397F3AC78A7AD5FB27A0FC8CDE13C0F280FE92FEA842D30F49A793BA0C64B408D6B8C2FD02EA475DBAE7} | |
| $m1 = {BDEF30F130F134A98965774D46A78D90FDAE4F8ECA2817BA59E3A8920A45032A8A8FE50950555281F0A391B1D9122A81F6C2031C3C82C072CDF1A700D7F5549C0A47EE9A9541928EA0AD093DD3EBA274AD9F192009B67DA65E359F4F396A03B58AAD1F96626B17B9AB8760D55D6DD992C9D013AED488D950A8449104B0EA47EA5FB2ED04C1D7017C21F8C47123FC6B4C654433C38D1DE6D2661C522946C406E70B35F05901660089CF9CE37B78AA53E2EEAC3595E7FD5DD7429495D31A6E315547D7EBADC74C9F5471831A17C8F9E7CE5801F436BFAE3F599F657C40075C732034A212C349F46840691E89E085E93AB79763BB47B0396B41007EF54BB87FE321} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {CDCB1B731DA7FFDFC3AE4782C100F2913C1080D775E6A2E0B08AF86B73C248F9D98482DB6FBEAEBF56529935AFD6C2E3E2D1D4B6A79350720480F4C96B15F3FC7C3B584F77E24904628B999062038592FE0C6BDF41C4B28D581E88B9106104B4C7839CC2B116D6BD649507F9F9A65A3991523A2C27F8D0DCD31A9A598510B50061253B3D1317C8114C76A6FE4C61CC59D2C44330215C1540094F73E1C195A465668FDBD3A83011F9C5AC131150A84FB7541FECAF991A39A0ED2803117BBAB0B2FB843EB6F8744B899B990A9AE7F8894DB889C9B4A500339065C44260CEBC43423813D5DE5B6BA24ED13F4A3945675801B82353EF370766017FBF6709050BE7BF} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\DosDevices\\AsrDrv103" wide | |
| $w1 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" wide | |
| $w2 = ".Translated" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {D67A74E9DC9685FA0F266297B09723664D0C8D9D1A38E749A1AD896A90F7BA01ADBF6F0FFC9378EFD1D4E17E4B20A22D1BA4D28F47F4A061D1C5CB031064E94A6102D15ADE1E9765E5F92C8E400C45AB248CA68C120CCCAEFB7FFC28143ACDCB257079C7B5BF6FCFC1C33AA9B01A0E7011AF97E808734152C4B3B9BD5B8028EDE16E5D2E17432C0EDB75C750949526DE6D807BAA0EFA96ABB5B4194F8EF6AE01D0199CAC40AFB99A3D8C6982DC560FDCBD1F7919C3A2385385D03A9B5FAAB3D4AE22C5DDC69268E2DCA124D1822E4D116B20E67325796EB1DB21CF23FC526E882B2026622228F0223B0DBA1DEF0358A3AB44E92EEC6F5B129F5327F290EDBADB} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_Flash" wide | |
| $w1 = "\\DosDevices\\NTIOLib_Flash" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {A64463E548D1ADEAD6DF6D1A1596FD45B155B3E89AD45CCCEBFEBC6445A782D5934F4C02D2B39BAE4A9E59EDAF8F37C6FCC633621F1173F2C407DCE4315111B834EB9D604D0865A7166E973054CC31CFCFADB63A280842D2F0D7ED40BD1D350459B2ECDE34D8BE71B96CDE6D857A431AA62549CB590621E38D5FB096425389EF3FBC6AB5612E9BDA21E824C71244CBBD1FD021B4B354247F7FCB04BE3CC84F551AD831213FDB769C093C3B1E26D488CD9A9F64BB9585CC153EE29DA0FFF8B6287CD1DF56EF8A1C42A380799E517719E98BF4F6A6D20A8DDB5E238B57352E18196E541F5B3087847F60B8CC713B61C60A4090D47FD1F77E0FEA4C87D3371C8A81} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "(null string)" | |
| $a1 = "---===<<< Log File Initial OK >>>===---\r\n" | |
| $a2 = "<=== DriverEntry()\r\n" | |
| $a3 = "===> DispatchCreate()\r\n" | |
| $a4 = "<=== DispatchCreate()\r\n" | |
| $a5 = "===> DriverUnload()\r\n" | |
| $w0 = "x86BiosAllocateBuffer" wide | |
| $w1 = "x86BiosFreeBuffer" wide | |
| $w2 = "x86BiosReadMemory" wide | |
| $w3 = "x86BiosWriteMemory" wide | |
| $w4 = "\\Device\\{F0E8CCF6-5232-4B6F-A159-3B612B77A43F}" wide | |
| $w5 = "\\DosDevices\\{F0E8CCF6-5232-4B6F-A159-3B612B77A43F}" wide | |
| $w6 = "\\Registry\\Machine\\Software\\Insyde\\InsydeFlash" wide | |
| $w7 = "\\Registry\\Machine\\Software\\Wow6432Node\\Insyde\\InsydeFlash" wide | |
| $w8 = "OpenClosePerLog" wide | |
| $w9 = "EnableCMOSDebug" wide | |
| $w10 = "CMOSOffset1" wide | |
| $w11 = "CMOSOffset2" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {E7A1B47D232EBD68CB8591F07CB68A420112EA34908D9838D15D26945FAA12374FA317C784263DA2A28A8ED3A31BF248CA7BA508F832229CDDB799174BA35F768DAAA37C3405536B6866089911FCF0A76F78D80DFAF45515FBC4480CFAD1AF6726F3841F4491BF31146643A503A8184AFC98D3C0B63AE17DB3740CF56E35A1B028764F8BC4BE9003C20DB49752EEF02A2327D8A25925515BC16D0EF82B32ED64AE4FD7FD8218FC4A4D1ADD40239B13A69930AD4E771DAC415C93D34C5B624897EDFF89BF5377CC3D2B894E6E28EE9AE7C7027B055AA88066AF615A40F851E178649D208575957108C068A0CD84A94890CEF546F25F18D2E6014290688D37F205} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "DllGetClassObject" | |
| $a1 = "DllCanUnloadNow" | |
| $a2 = "DllPrepareToStop" | |
| $a3 = "[NICM] NICM_IOCTL_REQUEST_REPLY Exception 0x%08X detected.\n" | |
| $m0 = {B6924E656BD22840E7A84A3B1FB244F7424D2BB3815C77120B260AAC3EFE17A46DCE52B41BEAA9DD1770801D0828A81E0DC778523B63233E2B73BD7234D49525AAA7CF9984555B8C701F3C245C508ACACE702DB9C8AFAAD9DC1CB4EA2F66C73143FD244727E8D162D8CC9B728CB300E79341F03928114A802877E19FD7C062882208194A467F99551BB393FF769647C77244B1B3FB8C5788DA88F21C4164AD4559486E19DBDCE52789CB2E7C5C8EECB91EC89555AEEDCAEB86126BD7332FC52CFC0F2077769E56416366A780BE96503EC5F4B8BD152E5DC5216168D5E90824DF991764BF32A4D967ABA06FAF45AA7E47310927D3880EC9381A5D2D70CC2F4181} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSISMB_CC" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSISMB_CC" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "\\Registry\\Machine\\" | |
| $a1 = "\\Registry\\User\\" | |
| $a2 = "\\Registry\\Machine\\SOFTWARE\\Classes\\" | |
| $a3 = "buffer troppo piccolo" | |
| $a4 = "Processo: " | |
| $a5 = "Software\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon\\Notify" | |
| $a6 = "PROTOCOLS\\FILTER" | |
| $a7 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" | |
| $a8 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" | |
| $a9 = "explorer.exe" | |
| $a10 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\winlogon" | |
| $a11 = "ErrDisableSvc" | |
| $a12 = "SYSTEM\\CurrentControlSet\\Services\\" | |
| $a13 = "SYSTEM\\CurrentControlSet\\Services\\VIRAGTLT" | |
| $a14 = "DisableSvc" | |
| $a15 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\explorer\\run" | |
| $a16 = "chatfile\\shell\\open\\command" | |
| $a17 = "scrfile\\shell\\open\\command" | |
| $a18 = "piffile\\shell\\open\\command" | |
| $a19 = "comfile\\shell\\open\\command" | |
| $a20 = "batfile\\shell\\open\\command" | |
| $a21 = "exefile\\shell\\open\\command" | |
| $a22 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce" | |
| $a23 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" | |
| $a24 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" | |
| $a25 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" | |
| $a26 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" | |
| $a27 = "SOFTWARE\\Microsoft\\Command Processor" | |
| $a28 = "system" | |
| $a29 = "SecurityProviders" | |
| $a30 = "SYSTEM\\CurrentControlSet\\Control\\SecurityProviders" | |
| $a31 = "SOFTWARE\\Microsoft\\Internet Explorer\\Styles" | |
| $a32 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" | |
| $a33 = "\\InprocServer32" | |
| $a34 = "PROTOCOLS\\FILTER\\Text/plain" | |
| $a35 = "PROTOCOLS\\FILTER\\Text/Html" | |
| $a36 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks" | |
| $a37 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler" | |
| $a38 = "SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar" | |
| $a39 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad" | |
| $a40 = "CODEBASE" | |
| $a41 = "DownloadInformation" | |
| $a42 = "*\\shellex\\ContextMenuHandlers" | |
| $a43 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\explorer\\Browser Helper Objects" | |
| $a44 = "SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units" | |
| $a45 = "Debugger" | |
| $a46 = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" | |
| $a47 = "System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries" | |
| $a48 = "LibraryPath" | |
| $a49 = "System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5\\Catalog_Entries" | |
| $a50 = "SearchAssistant" | |
| $a51 = "CustomizeSearch" | |
| $a52 = "Software\\Microsoft\\Internet Explorer\\Search" | |
| $a53 = "Search Page" | |
| $a54 = "Search Bar" | |
| $a55 = "Default_Search_URL" | |
| $a56 = "Default_Page_URL" | |
| $a57 = "Software\\Microsoft\\Internet Explorer\\Main" | |
| $a58 = "ServiceDll" | |
| $a59 = "DisplayName" | |
| $a60 = "\\Parameters" | |
| $a61 = "System\\CurrentControlSet\\Services" | |
| $a62 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\" | |
| $a63 = "System" | |
| $a64 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\windows" | |
| $a65 = "SOFTWARE\\virit-lt" | |
| $a66 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\userinit.exe" | |
| $a67 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\monlite.exe" | |
| $a68 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\viritexp.exe" | |
| $a69 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\monitor.exe" | |
| $a70 = "SOFTWARE\\microsoft\\windows nt\\currentversion\\Image File Execution Options\\explorer.exe" | |
| $a71 = "\\Device\\Harddisk0\\DR0" | |
| $a72 = "\\BaseNamedObjects" | |
| $a73 = "%s -> MajorFunction[%s] = %x Hook in %s" | |
| $a74 = "%s -> MajorFunction[%s] = %x" | |
| $a75 = "%s -> DriverInit = %x Hook in %s" | |
| $a76 = "%s -> DriverInit = %x" | |
| $a77 = "%s -> DriverStartIo = %x Hook in %s" | |
| $a78 = "%s -> DriverStartIo = %x" | |
| $a79 = "\\Driver\\" | |
| $a80 = "\\Driver" | |
| $a81 = "AntiTDL::ReadDiskSector - The IRQL is too high to process this request.\r\n" | |
| $a82 = "AntiTDL - Error in ZwCreateFile at function IrpHookDiskDriver. Return value: %i\r\n" | |
| $a83 = "AntiTDL - Entry Point del driver richiamata!\r\n" | |
| $a84 = "AntiTdl!HandleRemoveTDL3IoCtl - Non sono riuscito ad eliminare i settori del TDL3 alla fine del volume.\r\n" | |
| $a85 = "AntiTdl!HandleRemoveTDL3IoCtl - GetVolumePhysDisk has failed.\r\n" | |
| $a86 = "AntiTdl!HandleCheckSystemIoCtl - Unable to Find Port Driver.\r\n" | |
| $a87 = "AntiTdl!HandleRepairSystemIoCtl - Unable to Find Port Driver.\r\n" | |
| $a88 = "AntiTdl!HandleScanFileIoCtl - Unable to repair Infected Driver\r\n" | |
| $a89 = "AntiTdl - Il Master Boot Record " | |
| $a90 = "AntiTdl - Warning! Il Master Boot Record del sistema " | |
| $a91 = "AntiTdl!HandleScanMbrIoCtl - SCSIReadDiskSector has failed, retuned error: 0x%08X\r\n" | |
| $a92 = "AntiTdl!HandleScanMbrIoCtl - Unable to read Mbr (error while getting Disk driver object)\r\n" | |
| $a93 = "AntiTdl!HandleScanFileIoCtl - Unable to Find Port Driver.\r\n" | |
| $a94 = "Viragt: ReadSecortByScsi - Unable to Find Port Driver.\r\n" | |
| $a95 = "AntiTdl!RemoveTDL3Infection - It was not possible to remove the entire infection at the end of the disk...\r\n" | |
| $a96 = "AntiTdl!RemoveTDL3Infection - Unable to write Sector 0x%10X.\r\n" | |
| $a97 = "AntiTdl!RemoveTDL3Infection - Unable to read Sector 0x%10X.\r\n" | |
| $a98 = "AntiTdl!RemoveTDL3Infection - Unable to get Volume information. Returned Error 0x%08X.\r\n" | |
| $a99 = "AntiTdl!RemoveTDL3Infection - Unable to read Mbr. ReadDiskSector returned error: 0x%08X.\r\n" | |
| $a100 = "AntiTDL!SCSIRepairFile - Il parametro \"fileNameString\" NON " | |
| $a101 = " null o non nel formato \\DosDevices\\X:\\...)\r\n" | |
| $a102 = "AntiTDL!SCSIRepairFile - La GetRscSectionRVA ha fallito. Filename: %S\r\n" | |
| $a103 = "AntiTdl!SCSIRepairFile - Second FileOffsetToPhysicalOffset has failed with error: 0x%08X\r\n" | |
| $a104 = "AntiTdl!SCSIRepairFile - Real SCSIWriteDiskSector on file \"%S\" has failed with error 0x%08X!\r\n" | |
| $a105 = "AntiTDL!SCSIRepairFile - Unable to modify real SCSI Dispatch function. \r\n\tThe rootkit could still repair itself and could remain in system hard disk.\r\n" | |
| $a106 = "AntiTDL!SCSIRepairFile - Real SCSI Dispatch function was modified by a hot pach! \r\n" | |
| $a107 = "AntiTDL!SCSIRepairFile - Real SCSI Dispatch function was modified by an IRP Hook! \r\n" | |
| $a108 = "AntiTdl!SCSIRepairFile - Fake SCSIReadDiskSector on file \"%S\" has failed with error 0x%08X.\r\n" | |
| $a109 = "AntiTDL!SCSIRepairFile - Unable to get disk %i devices. Last error: 0x%08X\r\n" | |
| $a110 = "AntiTdl!SCSIRepairFile - FileOffsetToPhysicalOffset has failed with error: 0x%08X\r\n" | |
| $a111 = "AntiTDL!GetVolumeInfo - ZwQueryVolumeInformationFile has failed with error 0x%08X!\r\n" | |
| $a112 = "AntiTDL!GetVolumeInfo - ZwDeviceIoControlFile has failed with error 0x%08X!\r\n" | |
| $a113 = "AntiTDL!GetVolumeInfo - La ZwCreateFile ha fallito con error code: 0x%08X.\r\n" | |
| $a114 = "AntiTDL!VolumeLogicalToPhysical - ZwDeviceIoControlFile has failed with error 0x%08X!\r\n" | |
| $a115 = "AntiTDL!VolumeLogicalToPhysical - La ZwCreateFile ha fallito con error code: 0x%08X.\r\n" | |
| $a116 = "AntiTDL!GetVolumePhysDisk - Il parametro \"volString\" NON " | |
| $a117 = " null o non nel formato \\DosDevices\\X:)\r\n" | |
| $a118 = "AntiTDL!GetVolumePhysDisk - ZwDeviceIoControlFile ha fallito con error code: 0x%08X.\r\n" | |
| $a119 = "AntiTDL!GetVolumePhysDisk - La ZwCreateFile ha fallito con error code: 0x%08x, Volume name: %S.\r\n" | |
| $a120 = "AntiTdl!GetRscSectionRva - This file is not a valid Pe!\r\n" | |
| $a121 = "AntiTdl!GetRscSectionRva - Section Header is not valid!\r\n" | |
| $a122 = "AntiTdl!GetRscSectionRva - This is not a 32 bit Pe!\r\n" | |
| $a123 = "AntiTdl!GetEntryPointRva - Section Header is not valid!\r\n" | |
| $a124 = "AntiTDL!FileToPhysical - ZwFsControlFile has failed with error 0x%08X!\r\n" | |
| $a125 = "AntiTDL!FileToPhysical - GetVolumeInfo has failed with error 0x%08X!\r\n" | |
| $a126 = "AntiTDL!FileOffsetToPhysicalOffset - ZwCreateFile has failed with errro 0x%08X. Filename: %S\r\n" | |
| $a127 = "AntiTDL!SCSICheckFile - Il parametro \"fileNameString\" NON " | |
| $a128 = " null o non nel formato \\DosDevices\\X:\\...)\r\n" | |
| $a129 = "AntiTDL!SCSICheckFile - La GetRscSectionRVA ha fallito. Filename: %S\r\n" | |
| $a130 = "AntiTdl - Warning! Il file \"%S\" " | |
| $a131 = "AntiTdl!SCSICheckFile - I was unable to analyze %S, because second read has failed with error 0x%08x.\r\n" | |
| $a132 = "AntiTdl!SCSICheckFile - Second FileOffsetToPhysicalOffset has failed with error: 0x%08X\r\n" | |
| $a133 = "AntiTdl - File %S .rscr Section Sector offset: 0x%10X\r\n" | |
| $a134 = "AntiTDL!SCSICheckFile - WARNING! Il file: \"%S\" ha l'entry point fuori dalla Code Section! \r\n" | |
| $a135 = "AntiTDL!SCSICheckFile - SCSIReadDiskSector has failed. Filename: \"%S\", returned error: 0x%08X\r\n" | |
| $a136 = "AntiTDL!SCSICheckFile - La FileOffsetToPhysicalOffset ha fallito. Filename: %S\r\n" | |
| $a137 = "AntiTDL!SCSICheckFile - Unable to get disk port device of volume \"%c:\"\r\n" | |
| $a138 = "AntiTdl!GetAddressKernelModule - Non ho trovato il modulo a cui appartiene l'indirizzo 0x%08X.\r\n" | |
| $a139 = "AntiTdl!GetAddressKernelModule - L'indirizzo 0x%08X appartiene al driver \"%s\".\r\n" | |
| $a140 = "AntiTdl!GetDriverInfo - Trovato Driver Nt \"%s\" ad indice %i.\r\n" | |
| $a141 = "AntiTdl!GetDriverInfo - Driver Nt \"%s\" non trovato nel sistema!\r\n" | |
| $a142 = "AntiTdl!CheckSptdPresence - ObReferenceObjectByHandle returned error 0x%08X, unable to get SPTD Driver Object!\r\n" | |
| $a143 = "AntiTdl!CheckDeviceIntegrity - Funzione DriverInit del driver \"%s\" infetta.\r\n" | |
| $a144 = "AntiTdl!CheckDeviceIntegrity - Funzione DriverUnload del driver \"%s\" infetta.\r\n" | |
| $a145 = "AntiTdl!CheckDeviceIntegrity - Funzione DriverStartIo del driver \"%s\" infetta.\r\n" | |
| $a146 = "AntiTdl!CheckDeviceIntegrity - Le funzioni MajorFunction del driver \"%s\" sono tutte uguali.\r\n" | |
| $a147 = "AntiTdl!CheckDeviceIntegrity - Funzione MajorFunction[%i] del driver \"%s\" sconosciuta.\r\n" | |
| $a148 = "AntiTdl!CheckDeviceIntegrity - Il driver SPTD della Duplex Security " | |
| $a149 = " installato nel sistema e rompe le scatole...\r\n" | |
| $a150 = "AntiTdl!CheckDeviceIntegrity - Controllo incrociato 1 fallito (pDrvObj->DriverExtension->DriverObject != pDrvObj)\r\n" | |
| $a151 = "AntiTdl!RepairForgedDriver - Funzione MajorFunction[%i] del driver \"%s\" sconosciuta.\r\n" | |
| $a152 = "AntiTdl!RepairForgedDriver - Warning, funzione DriverStartIo del driver \"%s\" infetta.\r\n" | |
| $a153 = "AntiTdl!RepairForgedDriver - Il driver SPTD della Duplex Security " | |
| $a154 = " installato nel sistema e rompe le scatole...\r\n" | |
| $a155 = "AntiTdl!RepairForgedDriver - DriverStartIo of driver %s is NULL.\r\n" | |
| $a156 = "AntiTdl!RepairForgedDriver - pFakeDrvObj == pRealDrvObj, nuova versione del TDL3 oppure sistema pulito?\r\n" | |
| $w0 = "\\Driver\\Disk" wide | |
| $w1 = "\\DosDevices\\PhysicalDrive%d" wide | |
| $w2 = "\\DosDevices\\" wide | |
| $w3 = "\\Driver\\sptd" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {ECBA9BB8DF227CAE645861BED9E3DBF85298A505A3DB0005708FB670D502793454B0E1F350E5EF112433624B5F81FEB61533724398263B78C70BCB20BF9EFA4EF4FACBFB89F9D01A6428E696653A9EFB2D06DD22DB15E4157856A4A5113D8AE3C8221412A1E4F884BCD11318877B3D7859D67FCCD18567B91865210AC30E43B01960DEA6F69CAA1D0CA759D6E0C2F4C93AC615C3A95DC8D80A9A0DFF2182E49C051508E31EDF67F683703FA9CF4F9668F0B74EEB0891E348F68453A1C160F854061CF143AE44724F1907D85EC3BF15CE37D31BF7F8BA51CB19D2E38C40B0E1B3A49B61A0437138CADDE42AB9544CD8E4F754FD704E34C1A8786D9D889CA33211} | |
| $m5 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\WinIoA" wide | |
| $w1 = "\\DosDevices\\WinIoA" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {BCBB452474D8F1E436D8A132EBE9A8497EF90DE1CEA045BA3C0EFFB368009253376FAC7CF180C2C9310A35F1851747EFBE798BEFA59F18A5F16AB4FC9F294C2E7CE19F34F975168F7AD9218FE6929A45CB5DE1B685761539E583640D7909FABE329F938FAE6D41C6BFA18058D4D3F964934E8A57B07FCF3532F7EB305F4DA03622A0C77CBDB3E098629464540E30772B9D3F2A4172E0550198354B399A6C42EDD547BB8A451777DC1D3D92692907D3595A217D66F4BEBC7A41777369C252DCC978831E2B877DD4A94C9ABDF60A3D42D67B54D79A478F7D920B349FF2942E6D070E991E0980C5235A121455BB31A2B6AAEEFFB1FC852C66CBFFFEE88B1F50BFA7} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\driveragent%d" wide | |
| $w1 = "\\DosDevices\\driveragent%d" wide | |
| $w2 = "\\BaseNamedObjects\\HW64IrqEvent%d" wide | |
| $w3 = "\\BaseNamedObjects\\HW64KbdEvent%d" wide | |
| $w4 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {94EF65F8B5579FA0530D3406EB091FB747186ACBF05BE4FF27A534D1F7891ABF9EB1CD12416E66D481A0858B645A462F99A08D77B1E2BC5CDD22D76A67D0BBE8CA74DE8B4F0DB052E5905BEB470EF1E79F9C0B90653E17963045726D39A11736CAB9A08C1B4F0819F68131AD6116A462E6B4409EC3FCFB95F6FBB52E958198E0EFC5EBD802597877F7AAE3526B509129C5FCF7CD9365D2606122F206FB32DD1651FA0EFD8A30F01709A7BBF304AEAB90E76CDF7AA9F4EFC462275F6F996D3874AA118BDADFC7144CE985B2ECC27D4A268FE756BAA6E0CF92538074F403EC68B260BC842000831BA1EEB47405C1298E62D047B1FAF053CC18F92E3BF9707EB425} | |
| $m1 = {A3EFD19F29E9D8D382763C62A0D249D6161EF1CFF0D0BA4843032DA71DF2013449A410E96213F413F41683B5D5574248862B955887EA280474CB72110F6126E1FA1C6115C7289B4D0B820F262B903A96EDA4D06B299CF56188E6A4576FEEF470D08D17DEE666765F741E5E0C53385D90F4DF302D1B13D17998541A4B3804F407C42303D392CBF7805DAA9C5606442D414C48B42DEC35929AC695D7F5CE9031E276B361B8F1755742AC3BCE2BC89049E8B726CFBB0C89CBD0C3A36AA1C9D5E39C532B5726FE569A76FD6146A260EC294647F2CDE08262C6045AE7ED4E405C48067D9D5FE774C99E84650D5BDEDCD3241CB41411EBABBFC41FA4BA99D0175835CD} | |
| $m2 = {CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C669858217} | |
| $m3 = {B017AEA2D3B60430561E580FB1ED55A4D654CBD8F6733AEC5D5EAB25FD36A5FA84C36140C546B559523B42A22E5F136210A95BE673D69225B17D23E306B3873A0E43F0D7008953A2113152286E5D40723CF20977A7499297D46C90A076A7FDB8DCB39DF207602C4F5898006BD31554E0FADDFF802C5F18A698FFD4ABECA14559B22E6F625DE0D919AC8B579CA8262BD917A510D247081A702C338B7F68802AB5A15D6BDD8D02022903AA7C37BBBB294E3D5393B3A6FA8FD25893154CB92DAB80A3A325FBAFF70864B07A440F5C10D75F6137AA4E6BD3D253259D8273FA2CF972B0A919392A50FAA9D03C3ACAE85BEFF55F51F4F90AD99735DE6A85E6230442AF} | |
| $m4 = {BEE8AB601AABE906B32BED173733F2166CAC95CD6499DDEAF654E03230298A2884F9629EAE1875C2690F019FD8EAFB260D21C2F3D13BECB31520B4B32039A99EFB9A24930FDC0E845A3BB7B7A2B626EDE7CF04CEF6BAC188CEF063694E258209E2C608942A1849A8D5FA393869480BFCEFBB538B88416D7A9AD69CA82A3BBDB97FA3B94F45AE8AA31125E925321DC0BB26D3F02DCE8CB22EB00026CE8E9CE1E64DE887B850F8374F9CA8B735B14C5DB907E786705CC6822928B983338EF91A612C1EBC9C57E71BF01F952E5DC52FD15826145E4CF56764C5D29837ED005AF105CF5C1BD61C4155C6F295780C9B6B276740F568BA4A850AB0429CA21723E3D447} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Dump Directory: %wZ" | |
| $a1 = "Action Directory: %wZ" | |
| $a2 = "ULKDeleteFile: 0x%08x, %wZ" | |
| $a3 = "ULKDeleteDirectoryItSelf: 0x%08x, %wZ" | |
| $a4 = "ULKRenameFile: 0x%08x" | |
| $a5 = "ULKRenameDirectory: 0x%08x" | |
| $a6 = "create file 0x%08x, %wZ" | |
| $a7 = "ULKCopyDirectory: 0x%08x" | |
| $a8 = "process name: %ws" | |
| $a9 = "ZwTerminateProcess: 0x%08x" | |
| $a10 = "ZwDuplicateObject: ProcessID: %I64u, 0x%08x" | |
| $w0 = "\\Device\\IObitUnlockerDevice" wide | |
| $w1 = "\\DosDevices\\IObitUnlockerDevice" wide | |
| $w2 = "ZwQueryInformationProcess" wide | |
| $w3 = "\\SystemRoot" wide | |
| $w4 = "\\unlocker.log" wide | |
| $w5 = "\\Device\\HarddiskVolume1\\unlocker.log" wide | |
| $w6 = "IObitUnlocker.exe" wide | |
| $w7 = "System" wide | |
| $w8 = "System Idle Process" wide | |
| $w9 = "explorer.exe" wide | |
| $w10 = "$Extend\\$RmMetadata\\$TxfLog" wide | |
| $w11 = "\\DosDevices\\C:" wide | |
| $w12 = "\\Device\\HarddiskDmVolumes\\" wide | |
| $m0 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m1 = {A89E60C0F99FED5B69891E609ED9DA8A6A1BCF9485C83CD55DE00EBF1892D5FA840449E537B4A2E80959A7165A1E831A03BF0CA3687A578A9654862D6166D659CE6A1E756C48B63B2D0CFA29BC94F4137BCFBA19015E1A65BF7124942D69348294FD0F8FFCDF3A50BB9EAACB14F40B12B667F6BB48C681A0CBD7A112EAD990C16BFE7AC778628D87AE737F9645A5A3EABB863F11623D49FA0CA9C0733715CDE46493615B6B39742D6CA9A4FD7C5AA5F1E64B50D9ED016FE3D76737DBE179A4FADB799B743605942233A294E8DEA3FB3CFEDA7EBCE74EDA47EDC97F9ADD5AA24FDFDBC44B2220BE1FF2D0E872D7AD287A8921CB5B47E39603685C735C47433023} | |
| $m2 = {B906741C5DB420AAA921A82A4246AB25201725CB228F90A2A0316B830575AFB20E7C12497B6A8664840F83DC64B9B16E16053E1C95B9E7E7886DB862819079D4DDF5E296F9C3B58823574A1ACF7129E908008FB598E3A732FDAC2EB8F49353F40A394391AFD56BE8D49F46BD8E3DABE2F92BD4EA00406624B7E87FB444758D789AAE31C137CF4E1F5BF8454AD73FC2C9920664BEDE068AAFD0E88AB1F02C88006F0BDC85A74CCB06BFD62E2A326E2971AF8E22F30FD0D898482DA808CBB68B23C263E0B673EB6F7D264F8BF7343D37860CB77827F4C286DB436B5AF83D3DF4E8B06256C6E7ED78A1FBFD7A724F3265C47CC3C477A0043232ED8F3FAF86DD7ED1} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "BBExecuteInNewThread" | |
| $a1 = "BlackBone: %s: ZwQueryInformationThread failed with status 0x%X\n" | |
| $a2 = "BlackBone: %s: ZwWaitForSingleObject failed with status 0x%X\n" | |
| $a3 = "BlackBone: %s: ZwCreateThreadEx failed with status 0x%X\n" | |
| $a4 = "BBCallTlsInitializers" | |
| $a5 = "BlackBone: %s: Static TLS buffer: 0x%p\n" | |
| $a6 = "BBUnlinkHandleTable" | |
| $a7 = "BlackBone: %s: Invalid ExRemoveTable/ObjTable address\n" | |
| $a8 = "BlackBone: %s: Unsupported kernel build version\n" | |
| $a9 = "BlackBone: %s: PsLookupProcessByProcessId failed with status 0x%X\n" | |
| $w0 = "\\DosDevices\\BlackBone" wide | |
| $m0 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m1 = {CB7514890D60425498FCA9F073FEA8072694766190AE8783055E1F0505C9B38BD4F6A8A474BFF5CA9C370B69434B3234AB7093FB13D017DCA3B5AEED7C845B493A02A4805348D7D2D19BCD7819C6679F775ACE70155060E6BF252BF8B790EFBECCEC423DC231360CD69BB54DA9A16865CD9405A0682C2F3BB474E578A067AA8D1BF3CA1978A7435F5E00CBC776535601F1ED44A2D46965A35C108F53765579A9BBD3A4FBCAE9A94B25165EFA215C34C474329F95F934686726FC8484AD68C7B54E645234E8083DCBF1E68ACBA5C48AA7BC573CBAAA11A04C8D9C1B0B90BFEC29AB67D6F7604FBB6E56B019177CB3C47BF08B7179E7CD608269044B8C32A425EF} | |
| $m2 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\GLCKIo2" wide | |
| $w1 = "\\DosDevices\\GLCKIo2" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $w3 = "ZwQueryInformationProcess" wide | |
| $m0 = {9F858C34C11517C023CCA419F75C719FCE26DF64BEB18379294E8298BEFA43A0787DFEF4FA904B2CBA3BAA1971F1731C17CCE63B884F96F60D85E6F3D355467D691887B1EE754409D1EBCB8E9E7F986CEA8816C37F42D4CAB224844226F7D042C1CE7A84DDF4C93C526D68C67754FAF67FDF24F3030C3A0FD9B9D6D9EC0419E485573077360435C983D921A6D9FC03F5C24C0DC642C162C9A3665C68EDD3EF210204FE6CE71672C04A64FE63D9DBAAEE236E2DF20584E8E57704C8AF270C6D93A987461C06A64B538033506FF328ED883659CFF72D1774F34129E7D09D33B620B09FD18C05BA2B1F19D10DD2B64BB60E8822E2924E845CDA212220AD22C26F37} | |
| $m1 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m2 = {B44A5E7D070F41DEC4F5761636BD71FFCF3F4F734B9CD10DFE4ACB57585E8516DD02155499F08F3C2F4D02781068C8D8354B3FC1F767CE981CAE33B92D1DA40A5493C485A2DF35B1F5F13CA7B334FB5D48C946C96244BC4899EB284953C33D8FC00EDE3598E96251DF3D6B4061EE0441DACFA75C5696D1F94CB74484879869E582B913E655BFC89270920A316F7F8B32ABCF6B5A9F62C43EEEBEED59A4537F0BF152888A7B0A6724CB90CDECD24D344CB0E1B59F9CC6F66F2CCDE6CA5374019F6735DE38492DCEED39448219794E1AB2B5FBBB78F04966A7CFFA5C9675928B1A72D9FF509253CC3EC24332091A8613693CFB8132333264757328261D08303B07} | |
| $m3 = {A3645DFC7CB3E08235E0E0F6C62AE649753BCC6EE053A99F1F6459E67C6B7F6B8C9D55F892E39ED55A635B024950D983CE6F66EEDDCB85E95FA5F9D4877488443B19C9E5F5919FC61439AC24EAA84B2C9189CC5E28F464B650B7F512B373960A67A3BE619FAEF3FD1278750EA65B14FD45238E8644557D1886058C5587794846F7CA0E8DA7DE4E5FE2A8B62D5902618861721868B9B87CEEE6E7342F317781301FBB36018DEF27E3F79AF04C31648DE3EBFA1987A87ECFEC8C0C365B7AC17AB878C7C9062E4610C88DE80460DBBC7374FA4ED8FEAA40F1B2CE704683E9DA40A1593AD915095799563093F3C961CCD008CC6BEC624291AC02C0EFA4F089118F77} | |
| $m4 = {E8822D99F9CAC24295A580734070D29E56545CA9C4D241068FC933FC4D45915C819FED2C9CF81659DF9EB52415C298B9B47749DC89C40ADAAFCB5E6BEDADB07131EBCF3A400C464D93EC8B7A360803AB0C34FE184982FEC7C73148807C1EA20F920E50C9C687EB363FD830C3FFA6F7FBA2CD6F7323FEAC560590F032211689C67088F905977DA3C743DD02E83B3DEDB141A3ED3FBEDB9548C4EE1EB3F2BC0C2B99D0C65D124281E1836E82733F264B1490AE59660AC48DBED2CE06AEAD846F48849B4F40B9F14CF2AF98FBF6CE405D5CF6A8F12FAFEC8922F26B1865B1C173ADD7F1D8CF1E0A745C42B8687EB7D5770A27567C0F62A43F32146095FD0704A209} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Error IoCreateDevice control %#04x\n" | |
| $a1 = "Error IoCreateSymbolicLink control %#04x\n" | |
| $m0 = {D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C5611} | |
| $m1 = {A10E76CCD971E007D37400562DC6CF93B710FC0CEF99B6D99D7F249C7B864F3C226BB34F87EA7377DE37CC13AE12B26B8004897C679199ECD7FF65FF408A4A3DBE0815C7F8CCBE13B8A498D19C7DC01A01F98E2367CC6FA936C24ED00883C8C023569087E5F90AF13488C8B6DA700445E35E5847724FF66E2018AEF037A24132997AF7792AAFF7FB27F9166AEF5F9591BA05ABA382BACEFA97B8633322A7D81F27C5A863892D9C978B18FEBBF87CC7042A086E19EA5E36919D34F0C922D0DB4ABB0353FC3FC91335A26A020E3BA214C9537FC0A62D581EC8E94B36947089A9F24AF4259DCE74CB25F3949FAD2D5B2060114FC0C92C71A718D1910E49ADEF05383E90B305E3C05836118D803C444BF25534037B8B46B01165F05BF4CB5A41211518113A357CB7DDDE3D7AB63CE30567362C422CFC07935809FEECF9AA0AF225ECA6789CDBDCBB24329D704D96D3E626D6567C69C3E5262FA7F3A1A91C34742FEFC8A3B9B526154FE3703C63550CBD11F242852FDA2F99EA8115C887527969CB89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\HwRwDrv" wide | |
| $w1 = "\\DosDevices\\HwRwDrv" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {8C2779513A1E3F9748D9AF047B40009E2E5ED5C07D71D16324BAF34A5DBDC151D9FAB33B2FCC6731C7402A6B9A2D09CCC3C3FFCC93DCFE7DDA4CEB1640086AB90E16980B29B1DC8C018E7AAED094A17F2345E88A55D9D37352D7FCFD1CBFABB15CD92B8B6F03055F4D626CD4D32A4505165FFC3D63BDB9CFF85282D3E2A2883E6E365A31FB898DAE6222040DB7C53B0ADD81F50F0B6960F7A49AE6CBF1853706DBF8CF2A1F8D9F7CE25933593C2D8529634BD961309725DE23829DACF078D631BB680538C4C2D9F8604EFEE5F472EB509E56148030E9A0A3121ABFCAE61A9B68AFCF691CB51969BB16EDE5D79F09AD0AA424F83F46D6F2B1EC9955553285F53D} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "!!!!!!!!!!SelectMiniDriverAltInterface: stream %d, alt %d\n" | |
| $a1 = "<Unknown (Release!)>" | |
| $a2 = "On SRB_INITIALIZE_DEVICE (0x%X)\n" | |
| $a3 = "Interface" | |
| $a4 = "DisplayMode" | |
| $a5 = "AntiFlicker" | |
| $a6 = "EnableAE" | |
| $a7 = "AEMethod" | |
| $a8 = "SnapMethod" | |
| $a9 = "SensorType" | |
| $a10 = "ROffset" | |
| $a11 = "GrOffset" | |
| $a12 = "BOffset" | |
| $a13 = "GbOffset" | |
| $a14 = "EnableSmooth" | |
| $a15 = "BadPxThresholdB" | |
| $a16 = "BadPxThresholdR" | |
| $a17 = "EnableAWB" | |
| $a18 = "Compensate_Line" | |
| $a19 = "Brightness" | |
| $a20 = "Contrast" | |
| $a21 = "Saturation" | |
| $a22 = "Sharpness" | |
| $a23 = "Whitebalance" | |
| $a24 = "CA500CAM_Unload (0x%X)\n" | |
| $a25 = "DriverEntry (0x%X, 0x%X)\n" | |
| $a26 = "ZwOpenKey failed status=0x%08x (STATUS_INVALID_HANDLE)\n" | |
| $a27 = "ZwOpenKey failed status=0x%08x (STATUS_ACCESS_DENIED)\n" | |
| $a28 = "ZwOpenKey status=0x%08x\n" | |
| $a29 = "0130 Enter Dispatch Disconnect\n" | |
| $a30 = "enter USBCAMD_StartDevice\n" | |
| $a31 = "urb allocate fail\n" | |
| $a32 = "'Device Descriptor = %x, len %x\n" | |
| $a33 = "'USBCAMD Device Descriptor:\n" | |
| $a34 = "'bLength %d\n" | |
| $a35 = "'bDescriptorType 0x%x\n" | |
| $a36 = "'bDeviceClass 0x%x\n" | |
| $a37 = "'bDeviceSubClass 0x%x\n" | |
| $a38 = "'bDeviceProtocol 0x%x\n" | |
| $a39 = "'bMaxPacketSize0 0x%x\n" | |
| $a40 = "'idVendor 0x%x\n" | |
| $a41 = "'idProduct 0x%x\n" | |
| $a42 = "'bcdDevice 0x%x\n" | |
| $a43 = "'iManufacturer 0x%x\n" | |
| $a44 = "'iProduct 0x%x\n" | |
| $a45 = "'iSerialNumber 0x%x\n" | |
| $a46 = "'bNumConfigurations 0x%x\n" | |
| $a47 = "deviceDescription allocate fail\n" | |
| $a48 = "call USBCAMD_ConfigureDevice error\n" | |
| $a49 = "exit USBCAMD_StartDevice (%x)\n" | |
| $a50 = "enter USBCAMD_RemoveDevice\n" | |
| $a51 = "exit USBCAMD_RemoveDevice (%x)\n" | |
| $a52 = "return from IoCallDriver USBD %x\n" | |
| $a53 = "***Error*** USBCAMD_CallUSBD (%x)\n" | |
| $a54 = "enter USBCAMD_ConfigureDevice\n" | |
| $a55 = "'Configuration Descriptor = %x, len %x\n" | |
| $a56 = "'Going to call USBCAMD_SelectAlternateInterfaceNew\n" | |
| $a57 = "'USBCAMD_SelectAlternateInterfaceNew (%x)\n" | |
| $a58 = "'exit USBCAMD_ConfigureDevice (%x)\n" | |
| $a59 = "'enter USBCAMD_SelectConfiguration\n" | |
| $a60 = "'size of interface request = %d\n" | |
| $a61 = "'NumberOfPipes 0x%x\n" | |
| $a62 = "'Length 0x%x\n" | |
| $a63 = "'Alt Setting 0x%x\n" | |
| $a64 = "'Interface Number 0x%x\n" | |
| $a65 = "'EndpointAddress 0x%x\n" | |
| $a66 = "'MaxPacketSize 0x%x\n" | |
| $a67 = "'Interval 0x%x\n" | |
| $a68 = "'Handle 0x%x\n" | |
| $a69 = "'exit USBCAMD_SelectConfiguration (%x)\n" | |
| $a70 = "NumberOfPins %d\n" | |
| $a71 = "IsoPipeStreamtype %d\n" | |
| $a72 = "BulkPipeStreamType %d\n" | |
| $a73 = "'enter USBCAMD_SelectAlternateInterface\n" | |
| $a74 = "Failed to Cancel outstanding (Bulk/Int.)IRPs.\n" | |
| $a75 = "size of interface request Urb = %d\n" | |
| $a76 = "'Selecting Camera Interface\n" | |
| $a77 = "'exit USBCAMD_SelectAlternateInterface (%x)\n" | |
| $a78 = "'enter USBCAMD_SelectAlternateInterfaceNew\n" | |
| $a79 = "'exit USBCAMD_SelectAlternateInterfaceNew (%x)\n" | |
| $a80 = "'enter USBCAMD_OpenChannel %x\n" | |
| $a81 = "'exit USBCAMD_OpenChannel (%x)\n" | |
| $a82 = "'***RELEASE dev mutex %x\n" | |
| $a83 = "'enter USBCAMD_CloseChannel\n" | |
| $a84 = "USBCAMD_CloseChannel>Got Mutex 0x%08x\n" | |
| $a85 = "USBCAMD_CloseChannel> Releasing Mutex\n" | |
| $a86 = "'exit USBCAMD_CloseChannel (%x)\n" | |
| $a87 = "'enter USBCAMD_PrepareChannel\n" | |
| $a88 = "'exit USBCAMD_PrepareChannel (%x)\n" | |
| $a89 = "'enter USBCAMD_UnPrepareChannel\n" | |
| $a90 = "USBCAMD_UnPrepareChannel failed stop capture (%x)\n" | |
| $a91 = "'exit USBCAMD_UnPrepareChannel (%x)\n" | |
| $a92 = "'enter USBCAMD_ReadChannel\n" | |
| $a93 = "RawFrameLength %d\n" | |
| $a94 = "Read SRB %x on stream %d is Queued \n" | |
| $a95 = "'exit USBCAMD_ReadChannel 0x%x\n" | |
| $a96 = "enter USBCAMD_StartChannel\n" | |
| $a97 = "exit USBCAMD_StartChannel (%x)\n" | |
| $a98 = "enter USBCAMD_StopChannel\n" | |
| $a99 = "stop before start -- return success\n" | |
| $a100 = "*** Waiting on Abort Pipe Timed out.*** \n" | |
| $a101 = "exit USBCAMD_StopChannel (%x)\n" | |
| $a102 = "Abort Pipe Return ntStatus(%x) \n" | |
| $a103 = "'enter USBCAMD_ControlVendorCommand\n" | |
| $a104 = "'enter USBCAMD_ControlVendorCommand req %x val %x index %x\n" | |
| $a105 = "'BufferLength = 0x%x buffer = 0x%x\n" | |
| $a106 = "USBCAMD_ControlVendorCommand Error 0x%x\n" | |
| $a107 = "'USBCAMD_ControlVendorCommand Error 0x%x\n" | |
| $a108 = "'enter USBCAMD_ControlVendorCommand2\n" | |
| $a109 = "USBCAMD: Switching from D%d to D0\n" | |
| $a110 = "USBCAMD: Cam Driver Failed to restore its state\n" | |
| $a111 = "Restore ISO stream .\n" | |
| $a112 = "USBCAMD: Switching from D0 to D%d\n" | |
| $a113 = "Stop ISO stream .\n" | |
| $a114 = "USBCAMD: Cam Driver Failed to save its state\n" | |
| $a115 = "SetDevicePowerState -> %d\n" | |
| $a116 = "'exit USBCAMD_SetDevicePowerState 0x%x\n" | |
| $a117 = "Stream" | |
| $a118 = "Enter DriverEntry\n" | |
| $a119 = "Enter AdapterInitializeDevice\n" | |
| $a120 = "illegal config info" | |
| $a121 = "StreamDescriptorSize = %d\n" | |
| $a122 = "HwUnintialize, remove device\n" | |
| $a123 = "Request to cancel SRB %x \n" | |
| $a124 = "Current Srb %x is Cancelled\n" | |
| $a125 = "Queued Srb %x is Cancelled\n" | |
| $a126 = "Srb %x type (%d) for stream # %d was not found\n" | |
| $a127 = "Invalid Stream Number: %d\n" | |
| $a128 = "Timeout in Device Srb %x \n" | |
| $a129 = "USBCAMD_ReceivePacket command = %x\n" | |
| $a130 = "USBCAMD: Stream class did not translate IRP_MJ = 0x%x IRP_MN = 0x%x\n" | |
| $a131 = "StopIsoStream" | |
| $a132 = "StartIsoStream" | |
| $a133 = "stop before open \n" | |
| $a134 = "Requested iso stream state is same as previous.\n" | |
| $a135 = "Calling SetIsoPipeState from Dispatch level\n" | |
| $a136 = "USBCAMD_ProcessSetIsoPipeState exit (0x%X)\n" | |
| $a137 = "AdapterStreamInfo\n" | |
| $a138 = "Request to open stream %d \n" | |
| $a139 = "USBCAMD: VideoInfoHdrRequested for stream %d\n" | |
| $a140 = "Width=%d Height=%d FrameTime (ms)= %d\n" | |
| $a141 = "succeeded" | |
| $a142 = "AdapterOpenStream %s for stream %d\n" | |
| $a143 = "AdapterCloseStream # %d\n" | |
| $a144 = "AdapterCloseStream, remove device\n" | |
| $a145 = "SRB_PAGING_OUT_DRIVER\n" | |
| $a146 = "SRB_SURPRISE_REMOVAL\n" | |
| $a147 = "S# %d is stopped.\n" | |
| $a148 = "SRB_UNKNOWN_DEVICE_COMMAND %x\n" | |
| $a149 = "Unknown SRB command %x\n" | |
| $a150 = "USBCAMD_ReceiveDataPacket on stream %d\n" | |
| $a151 = "Frame buffer (%d)< biSizeImage (%d)\n" | |
| $a152 = "Write Srb %x is completed, status = %x\n" | |
| $a153 = "'KSPROPERTY_CONNECTION_ALLOCATORFRAMING (%d)\n" | |
| $a154 = "USBCAMD: New VideoInfoHdrRequested\n" | |
| $a155 = "USBCAMD: MEMORY_ALLOC failed\n" | |
| $a156 = "Cam driver should have handled %s SRB.\n" | |
| $a157 = "Local_CTRLPACKET_SetStreamState> Got Mutex 0x%08x\n" | |
| $a158 = "Local_CTRLPACKET_SetStreamState> Releasing mutex\n" | |
| $a159 = "Local_CTRLPACKET_InidcateMasterClock\n" | |
| $a160 = "USBCAMD_ReceiveCtrlPacket %x\n" | |
| $a161 = "ProposeDataFormat" | |
| $a162 = "SetDataFormat" | |
| $a163 = "GetDataFormat" | |
| $a164 = "Read Srb %x for stream %d is completed, status = %x\n" | |
| $a165 = "SRB Length = %x\n" | |
| $a166 = "frame buffer = %x\n" | |
| $a167 = "Queuing CtrlPacket %x\n" | |
| $a168 = "[CDevice::GetBusInterfaceVersion]\n" | |
| $a169 = "GetBusInterfaceVersion> failed IoBuildSynchronousFsdRequest()\n" | |
| $a170 = "FRC_QueueSrb> pReadExtension=0x%08X\n" | |
| $a171 = "DequeueSrb> pReadExtension=0x%08X\n" | |
| $a172 = "Bulk Read/Write request after device removed!\n" | |
| $a173 = "BulkReadWrite invalid pipe index!\n" | |
| $a174 = "Bulk Read/Write Ovelapping request !\n" | |
| $a175 = "BulkReadWrite invalid pipe type!\n" | |
| $a176 = "BulkReadWrite buffer is a NULL pointer\n" | |
| $a177 = "Enter USBCAMD_WaitOnDeviceEvent\n" | |
| $a178 = "WaitOnDeviceEvent after device removed!\n" | |
| $a179 = "WaitOnDeviceEvent invalid pipe index!\n" | |
| $a180 = "Ovelapping Interrupt request !\n" | |
| $a181 = "WaitOnDeviceEvent invalid pipe type!\n" | |
| $a182 = "WaitOnDeviceEvent NULL buffer pointer!\n" | |
| $a183 = "WaitOnDeviceEvent buffer is smaller than max. pkt size!\n" | |
| $a184 = "Bulk transfer [pipe %d] called. size = %d, pBuffer = 0x%X\n" | |
| $a185 = "Bulk Transfer > Max transfer size.\n" | |
| $a186 = " cannot allocated Transfer Context\n" | |
| $a187 = "Request is < packet size - transferring whole packet into read buffer.\n" | |
| $a188 = "USBCAMD_IntOrBulkTransfer exit (0x%X).\n" | |
| $a189 = "enter USBCAMD_BulkTransferComplete \n" | |
| $a190 = "Short bulk transfer received. Length = %d, ChunkSize = %d\n" | |
| $a191 = "Read bulk buffer transfer completed. size = %d\n" | |
| $a192 = "Queuing next chunk. RemainingSize = %d, pBuffer = 0x%x\n" | |
| $a193 = "Completing bulk transfer request. nbytes transferred = %d, \n" | |
| $a194 = "Int/Bulk transfer Cancelled.\n" | |
| $a195 = "Int/Bulk transfer error. USB status = 0x%X\n" | |
| $a196 = "enter USBCAMD_InitializeBulkTransfer\n" | |
| $a197 = " cannot allocated bulk URB\n" | |
| $a198 = "Bulk Read Buffer = 0x%x\n" | |
| $a199 = "exit USBCAMD_InitializeBulkTransfer 0x%x\n" | |
| $a200 = "Free Bulk Transfer\n" | |
| $a201 = "'***WAIT stream mutex %x\n" | |
| $a202 = "Internal Bulk Read Completed, length = %d status = 0x%X \n" | |
| $a203 = "'***RELEASE stream mutex %x\n" | |
| $a204 = "Wait for Bulk/int transfer to complete with Cancel.\n" | |
| $a205 = "Restore Bulk/int transfer .\n" | |
| $a206 = "Enter USBCAMD_CancelBulkReadWrite\n" | |
| $a207 = "invalid pipe index!\n" | |
| $a208 = "invalid pipe type!\n" | |
| $a209 = "BulkCancel is cancelable at Passive Level Only!\n" | |
| $a210 = "enter USBCAMD_InitializeIsoTransfer\n" | |
| $a211 = "Data Buffer = 0x%x\n" | |
| $a212 = "Sync Buffer = 0x%x\n" | |
| $a213 = "exit USBCAMD_InitializeIsoTransfer 0x%x\n" | |
| $a214 = "Free Iso Transfer\n" | |
| $a215 = "USBD failed IoCallDriver = 0x%x\n" | |
| $a216 = "enter USBCAMD_IsoIrp_Complete = 0x%x\n" | |
| $a217 = "*** ISO IRP CANCELLED ***\n" | |
| $a218 = "pending Irps Completed for transfer\n" | |
| $a219 = "Completed DataUrb status = 0x%X, DataIrp status = 0x%X\n" | |
| $a220 = "Completed SynchUrb status = 0x%X, SyncIrp status = 0x%X\n" | |
| $a221 = "Data ISO Transfer pkt. count = %d , error count = %d\n" | |
| $a222 = "Sync ISO Transfer pkt. count = %d , error count = %d\n" | |
| $a223 = "Failed to create an IRP.\n" | |
| $a224 = "enter USBCAMD_InitializeIsoUrb = 0x%x packetSize = 0x%x\n" | |
| $a225 = "handle = 0x%x\n" | |
| $a226 = "Init Iso Urb Length = 0x%x buf = 0x%x start = 0x%x\n" | |
| $a227 = "exit USBCAMD_InitializeIsoUrb\n" | |
| $a228 = "Current Frame = 0x%x\n" | |
| $a229 = "exit USBCAMD_GetCurrentFrame status = 0x%x current frame = 0x%x\n" | |
| $a230 = "Raw Offset = 0x%x rec length = 0x%x\n" | |
| $a231 = "capture" | |
| $a232 = "RequeueCurrentReadExtension> Dropping %s frame.\n" | |
| $a233 = "Local_CompleteCurrentReadExtension> Current frame is Still. \n" | |
| $a234 = "current raw video frame is completed\n" | |
| $a235 = "current raw still frame is completed. \n" | |
| $a236 = "Completed/Dropped Raw Frame SRB = 0x%x\n" | |
| $a237 = "Local_GetNewReadExtension> pReadExtension=0x%08X (%d - %s)\n" | |
| $a238 = "Transfer req. completed \n" | |
| $a239 = "Stream # %d New Frame SRB = 0x%x \n" | |
| $a240 = "Get next frame request, SRB = 0x%x Stream # %d\n" | |
| $a241 = "enter USBCAMD_SubmitIsoRequestDpc\n" | |
| $a242 = "re-submit this request\n" | |
| $a243 = "Process Raw Still Frame, SRB = %X \n" | |
| $a244 = "No memory for work item\n" | |
| $a245 = "Still Frame buffer is smaller than raw buffer.\n" | |
| $a246 = "Still Frame Completed \n" | |
| $a247 = "Call Cam ProcessFrameEX, len= x%X ,SRB=%X S#%d \n" | |
| $a248 = "GetNamedEventWorkItem>> Successfully Referenced Sync Event Object - 0x%x \n" | |
| $a249 = "GetNamedEventWorkItem>> Failed!!! to Reference Sync Event Object 0x%x\n" | |
| $a250 = "GetNamedEventWorkItem>> IoCreateSynchronizationEvent Failed!!!\n" | |
| $a251 = "ReleaseNamedEventWorkItem> \n" | |
| $a252 = "GetNamedEvent> Unable to Create WorkItem !!!\n" | |
| $a253 = "ReleaseNamedEvent> Unable to Create WorkItem !!!\n" | |
| $a254 = "GetUniqueIDIndex> LVSELSUS_GLOBAL_UIDINDEX Key found... Value is: %ld\n" | |
| $a255 = "SetUniqueIDIndex> LVSELSUS_GLOBAL_UIDINDEX Key Set... Value is: %ld\n" | |
| $a256 = "GetPowSaveSetupOptions> LVSELSUS_TIMEOUT_POWER_SAVE Key found: Value is: %ld\n" | |
| $a257 = "GetPowSaveSetupOptions> LVSELSUS_DISABLE_POWER_SAVE Key found: Value is: %ld\n" | |
| $a258 = "GetInstallOptions> LVSelSusCompositeFilter Key found: Value is: %ld\n" | |
| $a259 = "GetInstallOptions> LVSelSusInterfaceGUID Key found\n" | |
| $a260 = "GetPowSaveSetupOptions> Failed to open Driver Registry Key!\n" | |
| $a261 = "GetSelSusSetupOptions> LVSELSUS_TIMEOUT Key found: Value is: %ld\n" | |
| $a262 = "GetSelSusSetupOptions> LVSELSUS_DISABLE Key found: Value is: %ld\n" | |
| $a263 = "GetSelSusSetupOptions> Failed to open Driver Registry Key!\n" | |
| $a264 = "<Filter_CallUSBD> Cancelling Irp due to timeout\n" | |
| $a265 = "<Filter_CallUSBD> ***Error*** (%x)\n" | |
| $a266 = "WakeUpCompositeFilterDriver>> Failed to alloc memory for irpContext\n" | |
| $a267 = "WakeUpCompositeFilterDriver>> WakeUpDevice::waiting for the power irp to complete\n" | |
| $a268 = "WakeUpCompositeFilterDriver>> WakeUpDevice::complete!!!\n" | |
| $a269 = "LVSELSUS_PowerNotification>> pSelSusCtx->lTimerCancelled already set\n" | |
| $a270 = "LVSELSUS_PowerNotification>> Setting the timer for %dms ...\n" | |
| $a271 = "LVSELSUS_PowerNotification>> Cancelling the Timer ...\n" | |
| $a272 = "LVSELSUS_Init>> [PS Registry Override] Setting the timer for %dms ...\n" | |
| $a273 = "LVSELSUS_Init>> [PS Registry Override] Setting the Composite Filter Flag...\n" | |
| $a274 = "LVSELSUS_Init>> [PS Registry Override] Disabling Power Save Mode!!!\n" | |
| $a275 = "LVSELSUS_Init>> [PS Registry Override] Enabling Power Save Mode!!!\n" | |
| $a276 = "LVSELSUS_Init>> KeWaitForSingleObject Failed!!! 0x%x\n" | |
| $a277 = "LVSELSUS_Init>> [SS Registry Override] Setting the timer for %dms ...\n" | |
| $a278 = "LVSELSUS_Init>> Enabling Selective Suspend!!!\n" | |
| $a279 = "LVSELSUS_Init>> [SS Registry Override] Disabling Selective Suspend!!!\n" | |
| $a280 = "LVSELSUS_Init>> [SS Registry Override] Enabling Selective Suspend!!!\n" | |
| $a281 = "LVSELSUS_DeInit>> Cancelling the timer...\n" | |
| $a282 = "LVSELSUS_DeInit>> Waiting for NoDpcWorkItemPendingEvent...\n" | |
| $a283 = "LVSELSUS_DeInit>> Waiting for NoIdleReqPendEvent...\n" | |
| $a284 = "LVSELSUS_SetTimer>> pSelSusCtx->lTimerCancelled already set\n" | |
| $a285 = "LVSELSUS_SetTimer>> Setting the timer for %dms ...\n" | |
| $a286 = "LVSELSUS_WakeUpDevice>> WakeUpDevice - begins\n" | |
| $a287 = "LVSELSUS_WakeUpDevice>> Called at higher IRQL %d Exiting!!!\n" | |
| $a288 = "LVSELSUS_WakeUpDevice>> Failed to alloc memory for irpContext\n" | |
| $a289 = "LVSELSUS_WakeUpDevice>> WakeUp CompositeFilterDriver First...\n" | |
| $a290 = "LVSELSUS_WakeUpDevice>> WakeUpCompositeFilterDriver Failed - 0x%x\n" | |
| $a291 = "LVSELSUS_WakeUpDevice>> WakeUpDevice::waiting for the power irp to complete\n" | |
| $a292 = "LVSELSUS_WakeUpDevice>> WakeUpDevice::power irp complete\n" | |
| $a293 = "LVSELSUS_PowerDownDevice>> PowerDown - begins\n" | |
| $a294 = "LVSELSUS_PowerDownDevice>> Called at higher IRQL %d Exiting!!!\r" | |
| $a295 = "LVSELSUS_PowerDownDevice>> Failed to alloc memory for irpContext\n" | |
| $a296 = "LVSELSUS_PowerDownDevice>> Powering Down the device...\n" | |
| $a297 = "LVSELSUS_PowerDownDevice>> PowerDown::waiting for the power irp to complete\n" | |
| $a298 = "LVSELSUS_PowerDownDevice>> PowerDown::complete!!!!\n" | |
| $a299 = "LVSELSUS_SubmitIdleRequestIrp>> SubmitIdleRequestIrp - begins\n" | |
| $a300 = "LVSELSUS_SubmitIdleRequestIrp>> Idle request pending..\n" | |
| $a301 = "LVSELSUS_SubmitIdleRequestIrp>> Submiting Idle request...\n" | |
| $a302 = "LVSELSUS_SubmitIdleRequestIrp>> cannot build idle request irp\n" | |
| $a303 = "LVSELSUS_SubmitIdleRequestIrp>> Device cannot selectively suspend - abort\n" | |
| $a304 = "LVSELSUS_SubmitIdleRequestIrp>> Cancelling the timer...\n" | |
| $a305 = "LVSELSUS_SubmitIdleRequestIrp>> Submit an idle request at power state PowerDeviceD%X\n" | |
| $a306 = "LVSELSUS_SubmitIdleRequestIrp>> IoCallDriver failed\n" | |
| $a307 = "LVSELSUS_SubmitIdleRequestIrp>> Memory allocation for idleCallbackInfo failed\n" | |
| $a308 = "LVSELSUS_SubmitIdleRequestIrp>> SubmitIdleRequestIrp - ends\n" | |
| $a309 = "IdleNotificationCallback>> IdleNotificationCallback - begins\n" | |
| $a310 = "IdleNotificationCallback>> Failed to alloc memory for irpContext\n" | |
| $a311 = "IdleNotificationCallback>> Powering Down the Device!!!\n" | |
| $a312 = "IdleNotificationCallback>> IdleNotificationCallback::waiting for the power irp to complete\n" | |
| $a313 = "IdleNotificationCallback>> IdleNotificationCallback::power irp complete\n" | |
| $a314 = "IdleNotificationCallback>> IdleNotificationCallback - ends\n" | |
| $a315 = "IdleNotificationRequestComplete>> IdleNotificationRequestCompete - begins\n" | |
| $a316 = "IdleNotificationRequestComplete>> Idle irp completes with error \n" | |
| $a317 = "IdleNotificationRequestComplete>> STATUS_INVALID_DEVICE_REQUEST\n" | |
| $a318 = "IdleNotificationRequestComplete>> STATUS_CANCELLED\n" | |
| $a319 = "IdleNotificationRequestComplete>> STATUS_POWER_STATE_INVALID\n" | |
| $a320 = "IdleNotificationRequestComplete>> STATUS_DEVICE_BUSY\n" | |
| $a321 = "IdleNotificationRequestComplete>> default: %X\n" | |
| $a322 = "IdleNotificationRequestComplete>> Setting the device back to D0!!!\n" | |
| $a323 = "IdleNotificationRequestComplete>> Failed to alloc memory for irpContext\n" | |
| $a324 = "IdleNotificationRequestComplete>> PoRequestPowerIrp failed\n" | |
| $a325 = "IdleNotificationRequestComplete>> the completion routine has a valid pointer to idleIrp - free the irp\n" | |
| $a326 = "IdleNotificationRequestComplete>> lFreeIdleIrpCount is 0 - free the irp\n" | |
| $a327 = "IdleNotificationRequestComplete>> Set the timer to fire DPCs\n" | |
| $a328 = "IdleNotificationRequestComplete>> IdleNotificationRequestCompete - ends\n" | |
| $a329 = "LVSELSUS_CancelSelectSuspend>> CancelSelectSuspend - begins\n" | |
| $a330 = "LVSELSUS_CancelSelectSuspend>> Device is not idle\n" | |
| $a331 = "LVSELSUS_CancelSelectSuspend>> IoCancelIrp returns TRUE\n" | |
| $a332 = "LVSELSUS_CancelSelectSuspend>> IoCancelIrp returns FALSE\n" | |
| $a333 = "LVSELSUS_CancelSelectSuspend>> lFreeIdleIrpCount is 0 - free the irp\n" | |
| $a334 = "LVSELSUS_CancelSelectSuspend>> CancelSelectSuspend - ends\n" | |
| $a335 = "PoIrpCompletionFunc>> IRP Completed\n" | |
| $a336 = "PoIrpAsyncCompletionFunc>> IRP Completed\n" | |
| $a337 = "DpcRoutine>> DpcRoutine - begins\n" | |
| $a338 = "DpcRoutine>> Timer Already Cancelled... Bail out!!!!\n" | |
| $a339 = "DpcRoutine>> Device Idle detected... Queueing Workitem to submit Idle Request IRP...\n" | |
| $a340 = "DpcRoutine>> Cannot alloc memory for work item\n" | |
| $a341 = "DpcRoutine>> Idle event not signaled\n" | |
| $a342 = "DpcRoutine>> DpcRoutine - ends\n" | |
| $a343 = "IdleRequestWorkerRoutine>> IdleRequestWorkerRoutine - begins\n" | |
| $a344 = "IdleRequestWorkerRoutine>> Device is idle\n" | |
| $a345 = "IdleRequestWorkerRoutine>> LVSELSUS_PowerDownDevice failed\n" | |
| $a346 = "IdleRequestWorkerRoutine>> SubmitIdleRequestIrp failed\n" | |
| $a347 = "IdleRequestWorkerRoutine>> Device is not idle\n" | |
| $a348 = "IdleRequestWorkerRoutine>> IdleRequestsWorkerRoutine - ends\n" | |
| $a349 = "enter USBCAMD_GetPortStatus on Stream #%d \n" | |
| $a350 = "calling USBD port status api\n" | |
| $a351 = "Wait for single object\n" | |
| $a352 = "Wait for single object, returned %x\n" | |
| $a353 = "GetPortStatus returns (0x%x), Port Status (0x%x)\n" | |
| $a354 = "enter USBCAMD_EnablePort\n" | |
| $a355 = "calling USBD enable port api\n" | |
| $a356 = "USBCAMD_EnablePort (%x)\n" | |
| $a357 = "Reset, Wait for stream #%d to stop\n" | |
| $a358 = "*** Waiting on Reset Pipe Timed out.*** \n" | |
| $a359 = "Reset, stream #%d stopped status = 0x%x\n" | |
| $a360 = "USBCAMD_ResetChannel> Enter.\n" | |
| $a361 = "USBCAMD_ResetChannel #%d\n" | |
| $a362 = "USBCAMD_ResetChannel failed (0x%X) \n" | |
| $a363 = "ImageCaptureStarted is False. \n" | |
| $a364 = "USBCAMD_ResetChannel exit (0x%X) \n" | |
| $a365 = "Cancelling queued read SRB on stream %d, Ch. Flag(0x%x)\n" | |
| $a366 = "***USB Error*** on stream # %d. Flags = %d \n" | |
| $a367 = "Cancelling current read SRB on stream %d, Ch. Flag(0x%x)\n" | |
| $a368 = "Stream # %d timeout already scheduled\n" | |
| $a369 = "Stream # %d reset scheduled\n" | |
| $a370 = "***ERROR*** :Camera unplugged...\n" | |
| $a371 = "***ERROR*** :Camera unplugged discovered...\n" | |
| $a372 = "SRB %x Timed out on stream #%d . Reset Pipe.. \n" | |
| $a373 = "USB Error on Stream # %d. Reset Pipe.. \n" | |
| $a374 = "Picture taken, ready to switch back to capture\n" | |
| $a375 = "SIFPoll_InstallPollingThread\n" | |
| $a376 = "Exception in InstallPollingThread (0x%08x)\n" | |
| $a377 = "SIFPoll_InstallPollingThread Done (0x%08x)\n" | |
| $a378 = "SIFPoll_UninstallPollingThread\n" | |
| $a379 = "Exception in SIFPoll_UninstallPollingThread (0x%08x)\n" | |
| $a380 = "SIFPoll_UninstallPollingThread Done (0x%08x)\n" | |
| $a381 = "DevicePollingCB> Device polling thread (0x%08x) running\n" | |
| $a382 = "DevicePollingCB> Device polling thread (0x%08x) terminating\n" | |
| $a383 = "DevicePollingCB> Exception in polling routine (0x%08x)\n" | |
| $a384 = "Local_SwitchToStill> Failed to setup device for still capture (0x%08x).\n" | |
| $a385 = "Local_SwitchToStill> pfnSelectAltInterface succeeded.\n" | |
| $a386 = "Local_SwitchToStill> Failed to acquire still settings mutex.\n" | |
| $a387 = "Local_SwitchToStill> Done with status 0x%08x.\n" | |
| $a388 = "Local_SwitchToCapture> Failed to acquire still settings mutex.\n" | |
| $a389 = "Local_SwitchToCapture>Done with status 0x%08x.\n" | |
| $a390 = "Local_SwitchToStill> Timeout while waiting for still image done event\n" | |
| $a391 = "Local_SwitchToStill> Failed to acquire Still mode mutex\n" | |
| $a392 = "BMFHNDLR_FailedNowOverAndNotifyCB> Entering (pBc=0x%08X)...\n" | |
| $a393 = " BMFHNDLR_FailedNowOverAndNotifyCB> Smart device notification. Ignore ...\n" | |
| $a394 = "BMFHNDLR_FailedNowOverAndNotifyCB> Exiting ...\n" | |
| $a395 = " BMFHNDLR_FailedNowOverAndNotifyCB> Smart device notification. Accept because more than 30s appart ...\n" | |
| $a396 = " BMFHNDLR_FailedNowOverAndNotifyCB> Camera not streaming: cannot do anything. Exit function.\n" | |
| $a397 = " BMFHNDLR_FailedNowOverAndNotifyCB> Allowed increase = %d\n" | |
| $a398 = " BMFHNDLR_FailedNowOverAndNotifyCB> Initial values: BW=%d (%d)\n" | |
| $a399 = " BMFHNDLR_FailedNowOverAndNotifyCB> Final values: New alt int=%d, Recovered=%d\n" | |
| $a400 = " BMFHNDLR_FailedNowOverAndNotifyCB> New format not found: status=0x%08X, Recovered=%d\n" | |
| $a401 = "BMFHNDLR_AllocationFailedCB Negotiating device not in same speed as current device so, skipping\n" | |
| $a402 = "BMFHNDLR_AllocationFailedCB> Entering (pBc=0x%08X)...\n" | |
| $a403 = " BMFHNDLR_AllocationFailedCB> Camera is not streaming : cannot do anything. Exit function.\n" | |
| $a404 = " BMFHNDLR_AllocationFailedCB> Size required by smart device to high. Deny request. Exit function.\n" | |
| $a405 = "BMFHNDLR_AllocationFailedCB> Exiting ...\n" | |
| $a406 = " BMFHNDLR_AllocationFailedCB> Round=%d/%d, Init BW=%d (%d), Abs min BW=%d (%d)\n" | |
| $a407 = " BMFHNDLR_AllocationFailedCB> No bandwidth available.\n" | |
| $a408 = " BMFHNDLR_AllocationFailedCB> lMaxLetGo=%d.\n" | |
| $a409 = " BMFHNDLR_AllocationFailedCB> lRelinquishSize to small (%d). Exit function\n" | |
| $a410 = " BMFHNDLR_AllocationFailedCB> lRelinquishSize=%d.\n" | |
| $a411 = " BMFHNDLR_AllocationFailedCB> Final values: New alt int=%d, LetGo=%d\n" | |
| $a412 = " BMFHNDLR_AllocationFailedCB> New format not found: status=0x%08X, LetGo=%d\n" | |
| $w0 = "\\Registry\\MACHINE\\SOFTWARE\\CA561B\\CA500ACONTROL" wide | |
| $w1 = "\\Registry\\MACHINE\\SOFTWARE\\CA561B\\VIDEOPROCAMP" wide | |
| $w2 = "\\SystemRoot\\Samples\\s.raw" wide | |
| $w3 = "\\SystemRoot\\s1.raw" wide | |
| $w4 = "Brightness" wide | |
| $w5 = "Contrast" wide | |
| $w6 = "Saturation" wide | |
| $w7 = "Sharpness" wide | |
| $w8 = "Whitebalance" wide | |
| $w9 = "EnableAE" wide | |
| $w10 = "EnableAWB" wide | |
| $w11 = "AntiFlicker" wide | |
| $w12 = "DisplayMode" wide | |
| $w13 = "\\SystemRoot\\snap.dat" wide | |
| $w14 = "\\Registry\\MACHINE\\SOFTWARE\\CA561B\\SNAP" wide | |
| $w15 = "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale" wide | |
| $w16 = "Locale" wide | |
| $w17 = "\\Registry\\User\\.DEFAULT\\Control Panel\\International" wide | |
| $w18 = "Default" wide | |
| $w19 = "\\Registry\\Machine\\Software\\Logitech\\%s\\Debug" wide | |
| $w20 = "\\KernelObjects\\LVSELSUSEvent" wide | |
| $w21 = "\\Registry\\Machine\\Software\\Logitech\\LVSelSus" wide | |
| $w22 = "LVPowSaveDisable" wide | |
| $w23 = "LVSelSusCompositeFilter" wide | |
| $w24 = "LVSelSusInterfaceGUID" wide | |
| $w25 = "LVSSDisable" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {945C9559C2437349A72774F062111C00CDF3157F8FCFAA315AAFBECDC74AE7CCAFC6E682262B4A18F628FB7FF06EA14B8F478E5E519D8EDE9E378FE1DB810006370FA13939B5F30D112238EB2C376BCBA0756A1EDB62C29A6C6F147904B66F10A7EADE50AFCC4C7F5C8DA574543654A3312B601E3540C59FA6282EABFEC08A01} | |
| $m4 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_1" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_1" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {BE2794996C4B3FA39C28F8E6124A05A5316441DFE0F087D59DFBC11259F88F8067D69B9F6046EAF084B1629A2CA0BF2498A31B4F181D1E1E952E870944256088967CA045958D071E9C135E8DC1CDCB66B8B3C65A2AFD3003055D7DA2CDBE8A1EB7889518CF35891488B3E8A849CE2A195C7D3ABDFC5EA01035D675B1FCD9CA35} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Unload" | |
| $a1 = "ReadMemOutputClient ERROR..........." | |
| $a2 = "Unsupported Irp Function %p--%p\r\n" | |
| $a3 = "DriverEntry....\r\n" | |
| $a4 = "RegistryPath->Buffer %ws\r\n" | |
| $w0 = "NtQuerySystemInformation" wide | |
| $w1 = "ObRegisterCallbacks" wide | |
| $w2 = "ObUnRegisterCallbacks" wide | |
| $w3 = "\\DosDevices\\DianHuRing0" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {93237EBBE34E5A3E676516BB2FD81D755C7F0BC3746485FD2E0187C74689CBC8663478350A68224143BA493BEB391386A56A7A7FE02B21C5021F889A24A16892CF7F088A5F64D07FDB34E777DC271856B63B92271EF69A720CAC555FDCE74670E27E8B38441B172E57D9F587D4E56032C432C86D348A2B2E442F872B39C654323B77A8FF088380BED4191984A6FABD4524FD4E79A9DBAB69B32BCEDDFFF2F67B96AFD8B00FA89E77A9CDDDE9C6448F8162E0CDBE17B95F9C8BF4C3C0006F7F673440F5CB993C5CCF3C5D13B4E8C8A493C428664F906CAC06FFCB994CE8A28FB455E56397063E8D9DB4FB9DEA5D01C61CF174CF0963122F66C8078C10CCECEB9B} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "ERROR: IoDeleteSymbolicLink" | |
| $a1 = "Leaving MsIoUnload" | |
| $a2 = "Entering MsIoUnload" | |
| $a3 = "Leaving MapPhysicalMemoryToLinearSpace" | |
| $a4 = "ERROR: ZwOpenSection failed" | |
| $a5 = "ERROR: ObReferenceObjectByHandle failed" | |
| $a6 = "ERROR: HalTranslateBusAddress failed" | |
| $a7 = "ERROR: ZwMapViewOfSection failed" | |
| $a8 = "Entering MapPhysicalMemoryToLinearSpace" | |
| $a9 = "Leaving UnmapPhysicalMemory" | |
| $a10 = "ERROR: UnmapViewOfSection failed" | |
| $a11 = "Entering UnmapPhysicalMemory" | |
| $a12 = "Leaving MsIoDispatch" | |
| $a13 = "IRP_MJ_CREATE" | |
| $a14 = "ERROR: Unknown IRP_MJ_DEVICE_CONTROL" | |
| $a15 = "IRP_MJ_DEVICE_CONTROL" | |
| $a16 = "---Entry MsIoDispatch---" | |
| $a17 = "Leaving DriverEntry" | |
| $a18 = "ERROR: IoCreateDevice failed" | |
| $a19 = "ERROR: IoCreateSymbolicLink failed" | |
| $a20 = "Entering DriverEntry" | |
| $w0 = "\\DosDevices\\MsIo" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\MsIo" wide | |
| $m0 = {D01802EEEDA28D0858630F26D7DD227B88F6E4C7EC3B261878D3C7A420538D837CA53F7EA5C82B47DF0DF5A6D9C31D259360CF7CDCEA032CBE787F5C486DA702D949F8A1EBEB9A617C9FC026D6DC15D8B8107C20BA5EF428F6A8EAA75C7CC69C9090343CB622ACFEBA0C3A1ED65E84B65BF0A38170788A8D46527BFCDB49F3291311744F8D16B3C2E3A02DC703049DCCC372E10E0CFB028EF126177B6EAEF8B7338BA6614B45DFF22544C7F7B0982336DC28790AE89B7288A8D8E8AE7B7F0A6445A5F057929A7706451EEB9FE866F37A7D92815F002D1EB8F656135A620DB747A18F72EF835E82E09498E1ACA5AD8637E0A7D3BAB13E7AEB45A8F1C1447DE203} | |
| $m1 = {CB9CE1C1316CADA89CE7CBFCFF61C45F7BD26FA8C3D1C6DBA20ABC16137AB8E7AA9CF0C1282AF7B8B0192B75303E979CA9C3D0FD1482AC2FB62F48B889B98985C195009277195B0F0B8214BD257897CB9520E14D1DB938313CE66C0CCA294FDC940353E72DF3DEC9123854E67F3B53C41499088C9A5C06105C36726EBC0F3943B4C962C6CCE682DC471DB2F6D23FCFF0832ED049884A5F420DC07A857CF43D4327F472E6E13AFBD0BB6446F99830E96862815DE3B6EE9CA88820420EB306D9279B0D677325435118D08E5D4594954164770B52F48B7E41A43E540DFE1490961A822C1C3EDF322A1BA7CB410F30B5C82896B2BA6AA1914D3746E412D827A6F419} | |
| $m2 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\atillk64" wide | |
| $w1 = "\\DosDevices\\atillk64" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {ABA75B08B1962B58AFE333A7D70879B6A58FB242A9BE4BF0682368936AD67CF849872EA4EA7DD97063E34EEC065D4B30EFEC49CC122BC976F168AAF16B44E89684BF9BEC8B5BE9A1605C9E3615995B137E9B40D5056093C8AD8AD205275099D5F003B309F549B21D03484B4A45426F52C34AB17FCC95C64118FF71898B4C42F1} | |
| $m4 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m1 = {BC35A03670228111C3B283B9D328C636CD256BA97BB21CF69B519CEF35F4ED088E5E3808F8773C0A42E0F370DCA3D7CAF54C0BCFFF229C0A7E68D609A22A847BA69DB4A9C133E2EF1F1748CA3ACD46E6C5AA77BDE3779AFA47534028594393F1A481EAEF80B54FA708CEBA6EBCCA760C9764598624BB3D8290A855B192D3A0A705AC9F532508104799CD98DE68E5B45078A3AF01CC594358E4766E7EACC7E29E1F4FB0472DC80CA3492780758CBB0691650F909BF4BAD181C85C6AEC14E92509BF2316F49546404021BB8396FD861F7AC80D108EA2F81907587F9FBD370260F2A4E99D443F3005E4A77099519AE817F155CAB261896546A76AF258467EAAA007} | |
| $m2 = {C47E9F44B3FE6D16C1B6CA86B8902D28AEF9D296F47413DB3A58A6966AD2429B83B2FB9D75397C0FE5D0E1A853378202442E20A1F9223D03139DA0AB205C6500DB1E62C31992274C6D491ACC17F624E905BA7789BB84ED2B918F12E14E868A7C9F9837FB17510323BDD19F0E65C99706B326F154B3F02194060816D8AF40382C0473808F27B4DE78F7626657BD522B46B9968460CB23E0DF521A6D197FEED61CFF2B72C3FC07D17569BA07C1D7E5CEF507794186501A98896AC2DDB8C471F58DC05BB43E5AA5E3DDD5FEFF18CE0FBAE8DAC2CE2D54D61636861B7207E0931C0AF3E2204ED7666136C862B3B67629F3216D987D53C83A6393E5E021F8C93D6187} | |
| $m3 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a9 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a10 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a13 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a14 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a15 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a16 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a18 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a19 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a23 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {C19C559C6A1B732FDAC3DEF6D5255CF6D9C9116D00B46A3D4C1D2351789690D3CCD17891EC9A395511748C2F4C0B6B98C6BBBEE515A6A7450D6F3048153E46FE0FCFAA68D4F1D32E35EA6BCA67FA90A8F3A533A3711A685B4E4219E4CE7A2DBBE5C0BBCE17167C18741E76C599D7D6073C70CA65FB1923BE80260E86FF71125D} | |
| $m3 = {BE671DB460AA10496F56177C66C95E860DD5F1ACA771838E8B89F88804891506BA2D842195E4D19C504CFBD222BDDAF2B2353B1E8FC309FBFC132E5ABF897C3D3B251EF6F3587B9CF401B5C60AB880CEBE27746167274D6AE5EC81615879A3E01710121527B0E14D347F2B472044B9DE6624668ACD4FBA1FC538C85490E172F61966756AB94968CF38790DAA30A8DB2C60489ED7AA1401A983D7389130391396033A7C4054B6ADE02F1B83DCA811523E02B3D72BFD21B6A75CA30F0BA9A610500E342E4DA7CEC95E25D48CBCF36E7C29BC015DFC31875AD58C8567588819A0BF35F0EA2BA321E790F683E5A8ED60785E7B6083FD570B5D410D635460D64321EF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\WinRing0_1_2_0" wide | |
| $w1 = "\\DosDevices\\WinRing0_1_2_0" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {E4D3C38338A3DE3FAA7A25BCE732E4DDFDBD3A3DA958F6D0610AF50C5E71DECE718530EF7883FD19B34E6936FBAF540481048A9C4D6A5498951242043310EE9723E7D13D1B20E418C242A218154D00674756D5C1121C481B9E4325AA3D7C5DA9ABABAE272DEDB38A9DB7BC4E0A7C24908DD110BFCAE0FA9AAF3C089C746CD80519AB1DA564F44F9F068C65FA7ED6986520589D7D2591B59FCCCD408B80F91912FF3FBD433AFA1D132FC7BCBE18253690ADD4E0CD17E6979340EF9BA5FFABE290147CBC56BE813E2E4C1EDC37859BAABF70FA546B536DBA5F73ECE5EE0A582C649594C74977E3D2F239CD88CEC5D340D6097C01C2D2A264708DBA057834AF66B1} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "MAPMEM.SYS: memory successfully mapped\n" | |
| $a1 = "MAPMEM.SYS: memory map failed :(\n" | |
| $a2 = "InputBufferLength=%d,szieof(PVOID)=%d" | |
| $a3 = "MAPMEM.SYS: memory successfully unmapped\n" | |
| $a4 = "MAPMEM.SYS: ZwUnmapViewOfSection failed\n" | |
| $a5 = "In SMBUS Control" | |
| $a6 = "Exit SMBUS Control" | |
| $a7 = "In Alloc function!!" | |
| $a8 = "Exit Alloc function!!" | |
| $a9 = "VirtualAddress=0x%x" | |
| $a10 = "Buffer size not match !!" | |
| $a11 = "Valid(dwHandle)=%x" | |
| $a12 = "ptPageAddr->dwHandle VA=%x,sizeof(dwHandle)=%d" | |
| $a13 = "Physical Address=%x,dwLins=%x" | |
| $a14 = "Allocate Size=%d" | |
| $a15 = "(FREE_PHYS_MEM) Insufficient input or output buffer\n" | |
| $a16 = "Default VA=%x" | |
| $a17 = "Physical Address=%x" | |
| $w0 = "\\Device\\GIO" wide | |
| $w1 = "\\DosDevices\\GIO" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {E77A0E8ABBA2CBD484A03F194E2808425DE8B338EE47965744182E7CCEED4A4BC890A952900E05B40F738E1049AD416C0F24782CFDF8C724144E234A03606035DA5D28AF274A3ABB2DE28404DA8FBB13ED4E8BE1CEABAAC3CBD59DDBB64DB472469941DDD35A467F48646B1BBFA3A08EF0F1C1D5359910288AE50368F72671B8DBBF38FEF5153DB3D7402454352FA3BAA1E47942E37692DF86AD4A7F2E3E1FD9CE0F88B7E1BC63673FFBC8DDD19CFECC8087022CB731ABABA4B2494E4D06333E3CC28A74D78F6D2E7ED5C0F417D756FADA4CEEE7EAF423069570DE72FC9F9CF7BF644EBF090FC93B42801772320112B3CA6C6D9D1D9FEE52944255B107541451} | |
| $m3 = {97831E0016AF2CB1D208C4D7689351601E71F6E247B4DB584D23626AB4BF5A1B51F7A30D187768BBD836AB2F2150DA9EF3E75F274E0BC297C8097093A9DA5C0D4EA40D91A0B4EC14CE9172542ECEA3DB44E9521B3F413CCA4AE4AAC0E839AB53CC21D0CCCF7F9BE6C2CC586A8215EE3D36CF1CC59707248EF17BBE312D3D6EDCB599429F4B61955F1C70EE177DDB8BE5618978C7681BAF11781A98AEC4554753D9B332D6A10E4640C597928AD153A7995B853557D3EA936261200AC7307724114D6283B6BA7B688231EE65CADFF9D58DB235DC8C2B6F6A725C60849CF20C945EC056520048CCD3F8A57DDE2FD713E438A884D546B81386C21B9DEA5A38DD9BDB} | |
| $m4 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "GenericDrv.SYS: Invalid Address\n" | |
| $a1 = "GenericDrv.SYS: Allocation from Non_Paged Pool failed" | |
| $a2 = "GenericDrv.SYS: Inside DeallocateNonPagedPool\n" | |
| $a3 = "GenericDrv.SYS:HalTranslateBusAddress failed\n" | |
| $a4 = "GenericDrv.SYS: Inside gdDMIAccessPort\n" | |
| $a5 = "GenericDrv.SYS: Inside gdReadPort\n" | |
| $a6 = "GenericDrv.SYS: Inside gdWritePort\n" | |
| $a7 = "Leaving MapPhysicalMemoryToLinearSpace" | |
| $a8 = "ERROR: ZwOpenSection failed" | |
| $a9 = "ERROR: ObReferenceObjectByHandle failed" | |
| $a10 = "ERROR: MappingLength = 0" | |
| $a11 = "ERROR: RtlLargeIntegerSubtract failed" | |
| $a12 = "ERROR: ZwMapViewOfSection failed" | |
| $a13 = "Entering MapPhysicalMemoryToLinearSpace" | |
| $a14 = "Leaving UnmapPhysicalMemory" | |
| $a15 = "ERROR: UnmapViewOfSection failed" | |
| $a16 = "Entering UnmapPhysicalMemory" | |
| $a17 = "GenericDrv.SYS:Unloading\n" | |
| $a18 = "GenericDrv.SYS: Invalid Buffer\n" | |
| $a19 = "GenericDrv.SYS: IoCtl IOCTL_GENERICDRV_ALLOC_BUFFER\n" | |
| $a20 = "GenericDrv.SYS: IoCtl IOCTL_GENERICDRV_DEALLOC_BUFFER\n" | |
| $a21 = "GenericDrv.SYS: IoCtl IOCTL_GENERICDRV_PHY_TO_VIRTUAL\n" | |
| $a22 = "GenericDrv.SYS: IoCtl IOCTL_GENERICDRV_UNMAP\n" | |
| $a23 = "GenericDrv.SYS: IoCtl IOCTL_GENERICDRV_PORT_READ\n" | |
| $a24 = "GenericDrv.SYS: IoCtl IOCTL_GENERICDRV_PORT_WRITE\n" | |
| $a25 = "GenericDrv.SYS: IoCtl IOCTL_GENERICDRV_PORT_DMIACCESS\n" | |
| $a26 = "GenericDrv.SYS: IoCtl IOCTL_GENERICDRV_GET_VERSION\n" | |
| $a27 = "GenericDrv.SYS:Unknown IoctlCode\n" | |
| $a28 = "GenericDrv.SYS:Inside gdDeviceIoCtl\n" | |
| $a29 = "GenericDrv.SYS: IRP_MJ_CREATE\n" | |
| $a30 = "GenericDrv.SYS: IRP_MJ_CLOSE\n" | |
| $a31 = "GenericDrv.SYS: IRP_MJ_READ\n" | |
| $a32 = "GenericDrv.SYS: IRP_MJ_WRITE\n" | |
| $a33 = "GenericDrv.SYS: IRP_MJ_DEVICE_CONTROL\n" | |
| $a34 = "GenericDrv.SYS:IoCreateDevice failed.\n" | |
| $a35 = "GenericDrv.SYS:Unable to create Symbolic Link\n" | |
| $a36 = "GenericDrv.SYS:Inside DriverEntry\n" | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $w1 = "\\Device\\ucorew64" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {BECA00720856813FBDDF897AC1CA6213813F629B7910FA4143C8CA3453AEDC62DDE8E5C8B029707ABA50D48CCA2E3C779E9AA55D23BD13351878B5CB46BBFEFD233AD22EA14C73A6281C188FAF69C9AEEB926EC6FCDCA49947EDD226D686DE173BC3093AC24A4826370CB92FE5CD516E670BA2C8C466743025F97C783114CC2D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_1_0_2" wide | |
| $w1 = "\\DosDevices\\NTIOLib_1_0_2" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {BE2794996C4B3FA39C28F8E6124A05A5316441DFE0F087D59DFBC11259F88F8067D69B9F6046EAF084B1629A2CA0BF2498A31B4F181D1E1E952E870944256088967CA045958D071E9C135E8DC1CDCB66B8B3C65A2AFD3003055D7DA2CDBE8A1EB7889518CF35891488B3E8A849CE2A195C7D3ABDFC5EA01035D675B1FCD9CA35} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "HHHHHHHHHHHHHHHH[AsmaIns] <GpdIoctlGetCpuFrequence> ulTmp2=%d \n" | |
| $a1 = "HHHHHHHHHHHHHHHH[AsmaIns] <GpdIoctlGetCpuFrequence> ulTmp1=%d \n" | |
| $a2 = "HHHHHHHHHHHHHHHH[AsmaIns] <GpdIoctlGetCpuFrequence> ulTmp2=%d \n" | |
| $a3 = "HHHHHHHHHHHHHHHH[AsmaIns] <GpdIoctlGetCpuFrequence> ulTmp1=%d \n" | |
| $a4 = "HHHHHHHHHHHHHHHH[AsmaIns] <RDTSC> Interval2.QuadPart=%d \n" | |
| $a5 = "[MapMemMapTheMemory] Out\n" | |
| $a6 = "[MapMemMapTheMemory] STATUS_INSUFFICIENT_RESOURCES\n" | |
| $a7 = "[MapMemMapTheMemory] STATUS_SUCCESS\n" | |
| $a8 = "[MapMemMapTheMemory] ZwOpenSection\n" | |
| $a9 = "[MapMemMapTheMemory] In\n" | |
| $w0 = "\\Device\\PhysicalMemory" wide | |
| $w1 = "\\DosDevices\\Asusgio" wide | |
| $w2 = "\\DosDevices\\Asusgio" wide | |
| $w3 = "\\Device\\Asusgio" wide | |
| $m0 = {C4B5F25215BC88866029164A5B2F4B916B8791F335545835EAD1365E624D52513471C27B661D89C8DD2AC46A0AF637D9987491F692AEB0B57696F1A94A6345472E6B0B924E4B2B8CEE584A8BD407E41A2CF882AA58D9CD42F32DC075DE8DABC78E1D9A6C4C08951EDEDBEF67E172C249C29E603CE1E2BE16A3637869147BAD2D} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {BEBCEEBC7EEF83EBE0374FFB031038BE08D28C7D9DFA927F190CC26BEE42528CDED31C481325EAC1637AF95165EED3AA3BF5F0949C2BFBF266D424DAF7F59F6E193936BCD0A376081E2227246C389127E28449AE1B8AA1FD25822C1030E871AB28E8774A51F1ECCDF8F054D46FC0E36D0A8FD9D8648D63B22D4E27F6850EFE6DE32999E285477C2D867FE8578FAD67C23332911320FCA923149A6DC2844B766804D5712C5D21FA880D26FD1F2D912BE701554DF26D352882DFD96B5CB6D6D9AA81FD5FCD83BA639DD022FCA93B4269B28E3AB5BCB49E0F5EC4EA2C828B28FD530896DDB50120D1F9A518E7C0EE517037E1B6054852486F38EAC3E86C7B4484BB} | |
| $m3 = {C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A7} | |
| $m4 = {A12E19AC5DBA00553B090B9CC105805B17736BB9031167C15CD22498D617B97E234A2A556FD78F6ACECE16EAECF728404AE3DFE5E5E08F77EC1F4AE09F96A65329FD871B2FE68CB35E8B15D2D9D30C54E561B393667CA2E8FA1B6C0894A4A2200DDDFD067B532CDCE0246CFBE440336570BE365C97623E99619A3313916B536B} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\NTIOLib_MSIRatio_CC" wide | |
| $w1 = "\\DosDevices\\NTIOLib_MSIRatio_CC" wide | |
| $m0 = {A9596674DA3D8A7D7AD8FCF580447BFE476A14554E50470BECD3EDCEF638F74F69B9B1F0B678820A8C761667E202ADB70DA58AF603FC66D3FC082DCCB573597B89DC336E665A5E5237B462D1925935148B45AC59B24D24A298946842729F3A68E26B8B9E222DF4984E9AC6AFB3E4A0AB3C28BF23E1D772A4F2105367AE77AF51} | |
| $m1 = {A9CAB2A4CCCD20AF0A7D89AC8775F0B44EF1DFC10FBF6761BDA3641CDABBF9CA33AB843089587E8CDB6BDD369E0FBFD1EC78F277A67E6F3CBF93AF0DBA68F46C94CABD522DAB483DF5B6D55D5F1B029FFA2F6B1EA4F7A39AA61AC802E17F4C52E30E60EC401C7EB90DDE3FC7B4DF87BD5F7A6A312E03998113A84720CE31730D572DCD78343395129912B9DE682FAAE6E3C28A8C2AC38B218766BD8358576F75BF3CAA26875DCA10153C9F84EA54C10A6EC4FEC54ADDB9071197227CDB3E27D11E78EC9F31C9F1E62219DBC4B347439A1A5FA01E90E45EF5EE7CF17DAB62018FF54D0BDED02256A895CDAE8876AEEEBA0DF3E44DD9A0FB68A0AE143BB387C1BB} | |
| $m2 = {B24F14E710BED72672AB3697EF53BF42845E58D18A28FC43466F7E2844500B755D00D73C0A449E206AA4F7454A3760A36E3F12FA6DFAB646C36AA3B80C2728025728D150F7613955B8C3E12586523CBF051DD7B39AF89A243149D5A2A9E2D391AB3E3C73EFF629F1C835D0307B7F4E92A5068F87E2CEF5C16366AC18692AC15EBB5AE86E95FF3B80629D99C7C72F66D5FD621A82555AC6FA40778EC9303C1BF0F235B86C599CFDE9D6CAB4401EF704CAD167A974E3A50854D983353B8E8C230C75B6DE864A9E1A3E0A5049389CD2A890BF98FAC88C2B27117E2AFBCEDEA9AE389322FAA6ECFB5C6176C344D6CC0C7E2F6D0680A27440BBB71FF43BD773541FF3} | |
| $m3 = {BE4A2335C1F42275B5B0E7DD0A5B0C23655C15460D6E2E8455950F3EF4B46165CFB462C11F2C83EF605BF8ED1DC0808584DFD27F07F168DCDB64FB74B8F5A27190D81B187D0DD3F16A379AE523C9E2CF99ECC3EC1DA2567DB7967A08068BBC3288C310C7C6E0A34D724969FA8E317A31B2C8A414CBF217370C842939E5AE40813C50D577DCFED6E87CD8DF87744A8DED04E18FDD01E450A737B1663BF0A883778250EE26B95DD6A1F3F2AD0509B44D9E4CA02267FE8BC62F00197AD013933EC5F91B85208709E947F724CB1A1193F9CE3F1CD8CFAEC366C3C941E12F65EB098B67E31B59175C57B4D0A8988A7B5D93084EA27D4C14D525EC42C2B117D2BDA47B} | |
| $m4 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" | |
| created = "2023-04-07" | |
| strings: | |
| $m0 = {CC2EA1524909CC22EF3443DC41A698A01F0F691A33B292A573264E1DB9E2ABC446E13EF924C2F61C007BDC1CD9AE5AA9E48651F2C0FB2D1A94CBBE13A8C6F783631E27193F9536BF4098382352B2F9C7E2146EFE31D56FC6D10F0A45549C7A6CBFB40248310AC26CED4AC1691A9BF73E05E301994AA90F703694A3BAE50FAF769CA24FA1780EF0A2D5F06D9F0C334CC3B9A6FB0DB5870008F1386B1F1DB0EEE8C48D8943C908102A92A387EE172724A3121B11BC8C159A088AD73A5EED04A0E0E6EDEF346D2C53BF9009DE7D591F539CD4B7B9197216953DFF7970FF465E9C33684A06D3EC6CB4C7A37D8D8484363C12D597FBEC4D879D73C4E2AF2F844818BB} | |
| $m1 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m2 = {A3645DFC7CB3E08235E0E0F6C62AE649753BCC6EE053A99F1F6459E67C6B7F6B8C9D55F892E39ED55A635B024950D983CE6F66EEDDCB85E95FA5F9D4877488443B19C9E5F5919FC61439AC24EAA84B2C9189CC5E28F464B650B7F512B373960A67A3BE619FAEF3FD1278750EA65B14FD45238E8644557D1886058C5587794846F7CA0E8DA7DE4E5FE2A8B62D5902618861721868B9B87CEEE6E7342F317781301FBB36018DEF27E3F79AF04C31648DE3EBFA1987A87ECFEC8C0C365B7AC17AB878C7C9062E4610C88DE80460DBBC7374FA4ED8FEAA40F1B2CE704683E9DA40A1593AD915095799563093F3C961CCD008CC6BEC624291AC02C0EFA4F089118F77} | |
| $m3 = {C5F923E69427C48014A480325F40A38D6F70C0E53671713A75A4AA1A9294895EAC2371CB4E677D413FAAE34BB77BBE9DC1A8388F692F3A24E9775912C7660443C20D2682894019F22CEAE74CE77C051AB8FF88094F2637EF3AA4FA226C88C94A1B61F2AE105E6FBCD1799B591860E5EE29B5032AA4CEF183194F6905732809FB22109322A090191A4C31F2D32BD88443AF3C63FF98DB20D2092B54C1EAFD6A83E710A31271F5D6D7E1127AD5E0565ACEEA015B68655BC13F585233A935614E22CB81CA36A312CB06D6CF1B4D187EB992B912CF4026D89A3685B315AA4793846B07BBBCD5B3DE250011890068C1293CEA3E2DEE50ABD71C3006783CA510236791} | |
| $m4 = {E8822D99F9CAC24295A580734070D29E56545CA9C4D241068FC933FC4D45915C819FED2C9CF81659DF9EB52415C298B9B47749DC89C40ADAAFCB5E6BEDADB07131EBCF3A400C464D93EC8B7A360803AB0C34FE184982FEC7C73148807C1EA20F920E50C9C687EB363FD830C3FFA6F7FBA2CD6F7323FEAC560590F032211689C67088F905977DA3C743DD02E83B3DEDB141A3ED3FBEDB9548C4EE1EB3F2BC0C2B99D0C65D124281E1836E82733F264B1490AE59660AC48DBED2CE06AEAD846F48849B4F40B9F14CF2AF98FBF6CE405D5CF6A8F12FAFEC8922F26B1865B1C173ADD7F1D8CF1E0A745C42B8687EB7D5770A27567C0F62A43F32146095FD0704A209} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "IOCTL_PHYMEM_GETCHANNEL\n" | |
| $a1 = "IOCTL_PHYMEM_SETCHANNEL\n" | |
| $a2 = "inBufLength=%x outBufLength=%x" | |
| $a3 = "IoControlCode = %x" | |
| $a4 = "Call to MmMapLocked failed due to exception 0x%0x\n" | |
| $a5 = "Map physical 0x%p to virtual 0x%p, size %u" | |
| $a6 = "Call to ExAllocatePoolWithTag MAPINFO failed\n" | |
| $a7 = "Call to MmMapLockedPagesSpecifyCache MAPINFO failed\n" | |
| $a8 = "Hardware ID: 0x%08X\n" | |
| $a9 = "!!!!!!SmiPort=0x%x SmiCommand=0x%x SmiSubCommand=0x%x!!\n" | |
| $a10 = "KeActiveProcessors=0x%zx" | |
| $a11 = "SmiResult=%d\n" | |
| $a12 = "!!IOCTL_PHYMEM_GETCHANNEL\n" | |
| $a13 = "MutexType =%x AddrRegOffset = %x AddrRegValue = %x\n" | |
| $a14 = "DataRegOffset =%x DataRegValue = %x WaitTime = %x\n" | |
| $a15 = "!!IOCTL_PHYMEM_SETCHANNEL\n" | |
| $a16 = "!!IOCTL_PHYMEM_INFORM_FP_FW_S3S4S5\n" | |
| $w0 = "\\Registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Power" wide | |
| $w1 = "HiberbootEnabled" wide | |
| $m0 = {C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB} | |
| $m1 = {B2C903159C2CCD4711FF52F322EA54BBA49BE1E9E1230130264D25CD4AB95B0B79625B9A7B70A16226430B51060D58145DC6B24BF5C9F20AB4F6A12C6EABFF2A819A1132FA0EF5F9ED9FA1E0017E916D2B016AA9E82DB6144561235B1DE77004003A398900477A522978C287894D7DFE7764D2201CBD0D403A9310820D43CDB921B86D1B8ECBB7374E758DD0678B821EE55542B617417393FA6755C1B81FA5969C60C34318D527D45F86FEAFDC95111862BE2CA9D308B8CA264E23CC2A0DF0F69557FCC7F3E1BB046D7BDE904A6C61798CA3FB70231E302C240645FF941B76A1DEC66764C85AB8E646D5134BB3D660204B8F0949359DD4FFDD4DB3EF3D3BFCBD} | |
| $m2 = {A3645DFC7CB3E08235E0E0F6C62AE649753BCC6EE053A99F1F6459E67C6B7F6B8C9D55F892E39ED55A635B024950D983CE6F66EEDDCB85E95FA5F9D4877488443B19C9E5F5919FC61439AC24EAA84B2C9189CC5E28F464B650B7F512B373960A67A3BE619FAEF3FD1278750EA65B14FD45238E8644557D1886058C5587794846F7CA0E8DA7DE4E5FE2A8B62D5902618861721868B9B87CEEE6E7342F317781301FBB36018DEF27E3F79AF04C31648DE3EBFA1987A87ECFEC8C0C365B7AC17AB878C7C9062E4610C88DE80460DBBC7374FA4ED8FEAA40F1B2CE704683E9DA40A1593AD915095799563093F3C961CCD008CC6BEC624291AC02C0EFA4F089118F77} | |
| $m3 = {B906741C5DB420AAA921A82A4246AB25201725CB228F90A2A0316B830575AFB20E7C12497B6A8664840F83DC64B9B16E16053E1C95B9E7E7886DB862819079D4DDF5E296F9C3B58823574A1ACF7129E908008FB598E3A732FDAC2EB8F49353F40A394391AFD56BE8D49F46BD8E3DABE2F92BD4EA00406624B7E87FB444758D789AAE31C137CF4E1F5BF8454AD73FC2C9920664BEDE068AAFD0E88AB1F02C88006F0BDC85A74CCB06BFD62E2A326E2971AF8E22F30FD0D898482DA808CBB68B23C263E0B673EB6F7D264F8BF7343D37860CB77827F4C286DB436B5AF83D3DF4E8B06256C6E7ED78A1FBFD7A724F3265C47CC3C477A0043232ED8F3FAF86DD7ED1} | |
| $m4 = {E8822D99F9CAC24295A580734070D29E56545CA9C4D241068FC933FC4D45915C819FED2C9CF81659DF9EB52415C298B9B47749DC89C40ADAAFCB5E6BEDADB07131EBCF3A400C464D93EC8B7A360803AB0C34FE184982FEC7C73148807C1EA20F920E50C9C687EB363FD830C3FFA6F7FBA2CD6F7323FEAC560590F032211689C67088F905977DA3C743DD02E83B3DEDB141A3ED3FBEDB9548C4EE1EB3F2BC0C2B99D0C65D124281E1836E82733F264B1490AE59660AC48DBED2CE06AEAD846F48849B4F40B9F14CF2AF98FBF6CE405D5CF6A8F12FAFEC8922F26B1865B1C173ADD7F1D8CF1E0A745C42B8687EB7D5770A27567C0F62A43F32146095FD0704A209} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Irp->CurrentLocation <= Irp->StackCount + 1" | |
| $a1 = "Entering DriverEntry" | |
| $a2 = "ERROR: IoCreateSymbolicLink failed" | |
| $a3 = "ERROR: IoCreateDevice failed" | |
| $a4 = "Leaving DriverEntry" | |
| $a5 = "Entering WinIoDispatch" | |
| $a6 = "IRP_MJ_CREATE" | |
| $a7 = "IRP_MJ_DEVICE_CONTROL" | |
| $a8 = "ERROR: Unknown IRP_MJ_DEVICE_CONTROL" | |
| $a9 = "Leaving WinIoDispatch" | |
| $a10 = "Entering WinIoUnload" | |
| $a11 = "ERROR: IoDeleteSymbolicLink" | |
| $a12 = "Leaving WinIoUnload" | |
| $a13 = "Entering MapPhysicalMemoryToLinearSpace" | |
| $a14 = "ERROR: ZwMapViewOfSection failed" | |
| $a15 = "ERROR: HalTranslateBusAddress failed" | |
| $a16 = "ERROR: ObReferenceObjectByHandle failed" | |
| $a17 = "ERROR: ZwOpenSection failed" | |
| $a18 = "Leaving MapPhysicalMemoryToLinearSpace" | |
| $a19 = "Entering UnmapPhysicalMemory" | |
| $a20 = "ERROR: UnmapViewOfSection failed" | |
| $a21 = "Leaving UnmapPhysicalMemory" | |
| $w0 = "\\Device\\EneIo" wide | |
| $w1 = "\\DosDevices\\EneIo" wide | |
| $w2 = "\\Device\\PhysicalMemory" wide | |
| $m0 = {CDBBAA03BF9630FC7F729C17C4ED8D9199A1B6A452827B642CCF8FE37B6A0B03A58788CBE0C1F0FAE10AFFBB709C1E39CC160D30E51DE144EC4092A9266BB8D5677EDAFD5400C3CE3532069232074DD1C181E9E3BC4DE35FE6A68BCB320D7CBA3E7D28FD0CE4496856E92834D9F6C26C1C5981A33E9CC12929E0D88008C2336FCC9723D660E12CAD572F61341D56AD1A08729607B74B579418628F98F327035ECCD40B95A4648531AADED7669FD826ECDAEDB842CFAF77AAB4E22A7ED9224A99658B6C0BF64B3FD03A0E7DBC4FB6988BE36C98A6A039A5A8DE2689E0355DD4470E690A0136356562B0DDD40B599D964238EBB7B487BAE556262B3801CEF311AD} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "LHA: InitAcpiInfo Failed - STATUS_INVALID_INFO_CLASS\n" | |
| $w0 = "\\Device\\{E8F2FF20-6AF7-4914-9398-CE2132FE170F}" wide | |
| $w1 = "\\DosDevices\\{E8F2FF20-6AF7-4914-9398-CE2132FE170F}" wide | |
| $m0 = {BCE9238C02E3369575D0B74EBBF849ACB31B770A449D3D3D8AF9AC9960342224409F55BBB3EF04C1B83E942270AFBFA85296A94E2B8EB536942CF1915741BB31DD3AEDEB14079B3A7E795EA13864D53B1D2B8509718CE83C0D15785EFB9AE173A8D231B40110D0CCC600EE33F012FC6339B7A0DF1000571729DD6F3064A0ECA13F5F55AFF5EB2A33CC80EF3C340749FC7AF033537F34E4B4281A177391B543F7A9249BB8A879F0F1ED11D3F118258B40DAD4EEE23C6CA7D30B2847BD8FCC3F89FAC64E14B10A526434AA273CD81AC54F0BEB75C691DF5353D7F1ED754E13D70AA6312443A9B965326F3177A4D0AFB027FA8485089FE026F3B5815CC3CB354777} | |
| $m1 = {CB5F1EAB51F4D37D612DD2199ABD25FD975C75CDCC23B09955F2B98003366A6F80C60CB5BA3C27450406156BAD0EDE7E47AE3803736B3D28130D242C2F391848A7465E08A9C45360C98C30A3C67D632146E008932FB895976F29FF79D88E9739C833A3571E307214EEB77A7FFF59DB35D075E9C9B2729D56C1CBB72CB7C79B1E2F6B9DE0493A1BF439D3BDA80BA769995B131C4E670937AEA0A826655ABA7FADBB49CA89066722C5E8921B198F02711F5BC1742406ACE87A28A96883A442BC2F247E81F17F27648F706768C372FB69D7E5F00E2C2233E41BC71BD7254D2FFC76FB317CF2989F8E1F6A9960ABBFF1320FCAFD33489D595C58ADE23D2978283074C8354EF2EF96185ADB60A8BEE7FD9AACF9C03DE37D4E4ACF0B65DF21A471E4222283F25360528E51813A35A0EAE9FCC175E085C206432C930ED3B762AF522735733FDB11A449F9BBE3DF3F95D9F9D493E870D9AC5B080C4931735FC6532C9B097548443349997730221181D41056562E24DC8CC49BB415A3618AD8C4EFE5CD44FBAD74E803A26D69C093A776BF16D97951B2A8109001DC87363E51AB71D9D14E958EE6D85BF3A9357087093B8C55F0D573357114FE6B0E5615B36B34BF7405EEA03B6DF86E3112E247F44BE7B7490DEB65CBA12384A47B5BF1E2FD6469CEB31F1B5B9F68F07522786FA839CBF0FEE4A667B90B4671FE7A7E75133E57E156509D} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" | |
| created = "2023-04-07" | |
| strings: | |
| $w0 = "\\Device\\WinRing0_1_2_0" wide | |
| $w1 = "\\DosDevices\\WinRing0_1_2_0" wide | |
| $m0 = {C6BCD918CF65D1873C8AFC9A0942B968C9F0BD6807B070611D73DFACDDF6BEDC36127E5C6079BE65640F2C12A65CB053C97A98011588C787BD81902DAD544B4C0CDA4DCF87A1D155CEC97BE3ACCA492FBB2222210D6ECE8421DD6B0A3F7FA02952C441029D8FBD2392A35BAB14FDFB5C7A6B9CC71AE6E4D6C9FCECE71D916EA62B6337EE7BF76FBD6137AD7E690A2FC6EB34BB3E09E8A9806DEC1A9D897A93336BE05307278ACEC04DA7E20A92FC5FF15716E863E7D251F50D8E892DB6C291C04592488087522D84F46D7201E5CF9BD831FE2BA6AAA5397F3AC78A7AD5FB27A0FC8CDE13C0F280FE92FEA842D30F49A793BA0C64B408D6B8C2FD02EA475DBAE7} | |
| $m1 = {BDEF30F130F134A98965774D46A78D90FDAE4F8ECA2817BA59E3A8920A45032A8A8FE50950555281F0A391B1D9122A81F6C2031C3C82C072CDF1A700D7F5549C0A47EE9A9541928EA0AD093DD3EBA274AD9F192009B67DA65E359F4F396A03B58AAD1F96626B17B9AB8760D55D6DD992C9D013AED488D950A8449104B0EA47EA5FB2ED04C1D7017C21F8C47123FC6B4C654433C38D1DE6D2661C522946C406E70B35F05901660089CF9CE37B78AA53E2EEAC3595E7FD5DD7429495D31A6E315547D7EBADC74C9F5471831A17C8F9E7CE5801F436BFAE3F599F657C40075C732034A212C349F46840691E89E085E93AB79763BB47B0396B41007EF54BB87FE321} | |
| $m2 = {A29B752AA713BA09712418DFA1066229129EDC9E7573E8DF5657699613564FF2C8BC0158ED2686720B60F519C55503579BB910C9A1D47440FF6C00E8E65337FEB7DA793EB85238E9812C9F0E3352A6CD70CE4A5D62F4D1675EBC974A07CABCDD8D47B1CDF1655B8501B04B6BDECD8E2EF550E8A39C9D26986B366341037044F05FE2257579507D5FA106A2460C55954714D39146866899E727F494EC9A4151F796D47A8CE14497687103D8586FBDB41042EE0D6675468B4496D23000120763F7449B0170CA566F9C58972A27178B2E71526D46ABA72B0F7F164864C852FA0617000774D745B30CF5789573E80AEEC4E0728C1E11AA1EBB5ECEF9B400EE73BDCD} | |
| $m3 = {CDCB1B731DA7FFDFC3AE4782C100F2913C1080D775E6A2E0B08AF86B73C248F9D98482DB6FBEAEBF56529935AFD6C2E3E2D1D4B6A79350720480F4C96B15F3FC7C3B584F77E24904628B999062038592FE0C6BDF41C4B28D581E88B9106104B4C7839CC2B116D6BD649507F9F9A65A3991523A2C27F8D0DCD31A9A598510B50061253B3D1317C8114C76A6FE4C61CC59D2C44330215C1540094F73E1C195A465668FDBD3A83011F9C5AC131150A84FB7541FECAF991A39A0ED2803117BBAB0B2FB843EB6F8744B899B990A9AE7F8894DB889C9B4A500339065C44260CEBC43423813D5DE5B6BA24ED13F4A3945675801B82353EF370766017FBF6709050BE7BF} | |
| $m4 = {B0B1F2800070CEECC38CB497EDC6098C266F89DF675981CFDE14134CC2B145E2537541FA07366FBA117028947C6D72BD071525653A09FF85DCFA7B5E378738E4C74B0880989E8ACD580902C0C30149965888892659F56DC6B9C1FB1825EDD8624ECA0A6C5D70EFCED39B290B09C6F6EEB616D43C548ECC5DE0AFDBDD2309327B328116620A06CB7ACF3421B66F36B6B1CECB9A2935403E9D587CFFAD8298FAB8D589CA35DDCBCD5706CB9BE4BF94A880985F7796F0B6E7AB74794021A663E9D00791BD8538B4AE96ACA1FF1473DAA545B84D86CE2A3CEFD4DF280E75A9A88813C2E47C6093F225CC038497E64EB69F2DD6B58B343CABD5383AC83DC4B1F994CD} | |
| $m5 = {DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "CITMDRV.SYS: ZwCreateFile failed (0x%x)\n" | |
| $a1 = "CITMDRV.SYS: unload...\n" | |
| $a2 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_WRITECOMBINE\n" | |
| $a3 = "CITMDRV.SYS: ZwMapViewOfSection conflicting address try with PAGE_NOCACHE\n" | |
| $a4 = "CITMDRV.SYS: ZwUnmapViewOfSection failed (0x%x)\n" | |
| $a5 = "CITMDRV.SYS: copy %u bytes into user memory\n" | |
| $a6 = "CITMDRV.SYS: virtualAddress=0x%p\n" | |
| $a7 = "CITMDRV.SYS: Insufficient input or output buffer\n" | |
| $a8 = "CITMDRV.SYS: MmProbeAndLockPages access violation\n" | |
| $a9 = "CITMDRV.SYS: ZwMapViewOfSection failed (0x%x)\n" | |
| $a10 = "CITMDRV.SYS: userOffset = 0x%x\n" | |
| $a11 = "CITMDRV.SYS: requested offset = 0x%x\n" | |
| $a12 = "CITMDRV.SYS: aligned Address = 0x%I64x\n" | |
| $a13 = "CITMDRV.SYS: Try to split into single pages\n" | |
| $a14 = "CITMDRV.SYS: ZwOpenSection failed (0x%x)\n" | |
| $a15 = "CITMDRV.SYS: offset = 0x%x\n" | |
| $a16 = "CITMDRV.SYS: aligned end Address = 0x%I64x\n" | |
| $a17 = "CITMDRV.SYS: aligned start Address = 0x%I64x\n" | |
| $a18 = "CITMDRV.SYS: requested Size = 0x%x\n" | |
| $a19 = "CITMDRV.SYS: requested Address = 0x%I64x\n" | |
| $a20 = "CITMDRV.SYS: IoAllocateMdl failed\n" | |
| $a21 = "CITMDRV.SYS: userVirtualAddress = 0x%p\n" | |
| $a22 = "CITMDRV.SYS: IRP_MJ_CREATE\n" | |
| $a23 = "CITMDRV.SYS: unknown IRP_MJ_DEVICE_CONTROL\n" | |
| $a24 = "CITMDRV.SYS: IoCreateDevice failed\n" | |
| $a25 = "CITMDRV.SYS: IoCreateSymbolicLink failed\n" | |
| $a26 = "CITMDRV.SYS: DriverEntry...\n" | |
| $w0 = "\\DosDevices\\CITMDRV" wide | |
| $w1 = "\\Device\\PhysicalMemory" wide | |
| $w2 = "\\Device\\CITMDRV" wide | |
| $m0 = {B1ACB349544B971C120AD825799122572A6FDCB826C443736BC2BF2E505AFB14C2768E43012543B4A1E245F4E8B77BC374CC22D7B4940002F74DEDBFB4B744246BCD5F453BD144CE43127317828B69B42BCB991EAC721B264D711FB131DDFB51610253A6AAF5492C057845A52F89CEE799E7FE8CE2573F3DC692DC4AF87B33E4790AFBF07588419CFFC5035199AAD76C9F93698765298385C26014C4C8C93B14DAC081F01F0D74DE9222ABCAF7FB747C27E6F74A1B7FA7C39E2DAE8AEAA6E6AA27167D61F7987111BCE250A14BE55DFAE50EA72C9FAA6520D3D896E8C87CA54E4844FF19E24407920BD76884805D6A786445CD60467E54C1137CC579F1C9C171} | |
| $m1 = {A2630B3944B8BB23A74449BB0EFFA1F0610A5393B098DBAD2C0F4AC56EFF863C53550F15CE043F2BFDA99696D9BE61790B5BC94C8676E5E0434B2295EEC22B43C19FD868B48E404FEE8538B911C523F26458F015326F4E57A1AE88A402D72A1ECD4BE1DD63D51789325BB05E995AA89D28500E17EE96DB613B45511DCF12560B9247FCABAEF6663D47AC7072E792E75FCD10B9C483649419BD2580E1E8D222A5D0BA027AA177935B65C3EE1774BC41862ADC084C8C928C912D9E77441F68D6A87477DB0E5B328B568B33BDD963C8499D3AC5C5EA330BD2F1A31BF48BBED9B3578B3BDE04A77A22B224AE2EC770C5BE4E832608FB0BBDA94F9908E1102872AACD} | |
| $m2 = {D66D48AB487B00E92CAB08B846957A4918A507E5A6ACF04FEDCD529AB14D7EB0444DED486867E9C23B5CE55969AE520C6E556E2D1583277A6A09479D9CE2104BB76D1332005412F7D28AA1A85027F622F542F2832FB348F0454BE2D13BAD717280718D798272374000C8DF32748EB926321695E71ACA96FA4B55ACF24DF9A780BDEFE07205866592C1941457898ACB2A866226CF5C5E336C59B9D4359DAB8D340FCC0606C7565AEC8D5AACC37AAED10DD2F72260F831D1FA7ED05D69C7EF31C65424CAF31BF2D9482EA4108D0F7D13B30D6D5FC88D516E9992518D418A871F6CEBC20E55012AB2B7C73611995439723309A26374311F3C4C5D324E6CE5B2EAA3} | |
| $m3 = {AF240808297A359E600CAAE74B3B4EDC7CBC3C451CBB2BE0FE2902F95708A364851527F5F1ADC831895D22E82AAAA642B38FF8B955B7B1B74BB3FE8F7E0757ECEF43DB66621561CF600DA4D8DEF8E0C362083D5413EB49CA59548526E52B8F1B9FEBF5A191C23349D843636A524BD28FE870514DD189697BC770F6B3DC1274DB7B5D4B56D396BF1577A1B0F4A225F2AF1C926718E5F40604EF90B9E400E4DD3AB519FF02BAF43CEEE08BEB378BECF4D7ACF2F6F03DAFDD759133191D1C40CB7424192193D914FEAC2A52C78FD50449E48D6347883C6983CBFE47BD2B7E4FC595AE0E9DD4D143C06773E314087EE53F9F73B8330ACF5D3F3487968AEE53E82515} | |
| $m4 = {F5234B5EA5D78ABB32E9D457F7EFE4C7267EAD1998FEA89D7D94F6366B10D77581307F04687FCB2B751ECD1D088CDF6994A737A39C7B80E099E1EE374D5FCE3B14EE86D4D0F52735BC250B38A78C639D17A308A5ABB0FBCD6A62824CD521DA1BD9F1E3843B8A2A4F855B90014FC9A776107F27037CBEAE7E7DC1DDF905BC1B489C69E7C0A43C3C41003EDF96E5C5E49471D65501C700264A403CB5A126A90CA76D808E90257BCFBF3F1CEB2F96FAE58777C6B556B27A3B5430531BDF6234FF1ED1F45A932885E54C174E7E5BFDA493997FDFCDEFA475EFEF15F647E7F81972D82E341AA6B4A74C7EBDBB4F0C3D57F130D6A6368ED68076D7192EA5CD7E342D89} | |
| condition: | |
| uint16(0) == 0x5A4D | |
| and (uint32(uint32(0x3C)) == 0x00004550) | |
| and all of them in ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| .. | |
| ( | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].virtual_address) | |
| + | |
| pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size) | |
| ) | |
| ) | |
| } | |
| rule LOLDrivers_543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91 | |
| { | |
| meta: | |
| author = "@qutluch" | |
| hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" | |
| created = "2023-04-07" | |
| strings: | |
| $a0 = "Unable to disasm 0x%Ix => res == DECRES_INPUTERR || DecodedInstructionCount == 0" | |
| $a1 = "..\\..\\..\\..\\KernelLibs\\DiStorm3\\disasm.c" | |
| $a2 = "StopOnBranch is TRUE and there is not enough instructions" | |
| $a3 = "Buffer can not be null" | |
| $a4 = "HlpAllocateUnicodeString" | |
| $a5 = "..\\..\\..\\..\\KernelLibs\\HelperFunctions\\HelperFunctions.c" | |
| $a6 = "Not enough memory" | |
| $a7 = "Can not allocate unicode string %wZ" | |
| $a8 = "HlpMatchUnicodeString" | |
| $a9 = "Can not allocate buffer for wide string" | |
| $a10 = "HlpUnicodeStringToWideString" | |
| $a11 = "HlpAllocateAnsiString" | |
| $a12 = "Can not allocate ansi string for %s" | |
| $a13 = "HlpContainsTextA" | |
| $a14 = "HlpGetProcessImagePath" | |
| $a15 = "NtOpenProcess failed!" | |
| $a16 = "ZwQueryInformationProcess failed!" | |
| $a17 = "Can not allocate memory for buffer" | |
| $a18 = "ZwQueryInformationProcess failed 2nd time" | |
| $a19 = "ERROR: ZwCreateFile failed!" | |
| $a20 = "Cannot allocate buffer" | |
| $a21 = "HlpGetSystemRootPath" | |
| $a22 = "ERROR: ObReferenceObjectByHandle failed!" | |
| $a23 = "ERROR: ObQueryNameString failed!" | |
| $a24 = "Current process %s" | |
| $a25 = "HlpPrintCurrentProcessName" | |
| $a26 = "Can not open process id %d" | |
| $a27 = "HlpIsCriticalSystemProcess" | |
| $a28 = "STATUS_SUCCESS" | |
| $a29 = "STATUS_WAIT_1" | |
| $a30 = "STATUS_WAIT_2" | |
| $a31 = "STATUS_WAIT_3" | |
| $a32 = "STATUS_WAIT_63" | |
| $a33 = "STATUS_ABANDONED" | |
| $a34 = "STATUS_ABANDONED_WAIT_63" | |
| $a35 = "STATUS_USER_APC" | |
| $a36 = "STATUS_KERNEL_APC" | |
| $a37 = "STATUS_ALERTED" | |
| $a38 = "STATUS_TIMEOUT" | |
| $a39 = "STATUS_PENDING" | |
| $a40 = "STATUS_REPARSE" | |
| $a41 = "STATUS_MORE_ENTRIES" | |
| $a42 = "STATUS_NOT_ALL_ASSIGNED" | |
| $a43 = "STATUS_SOME_NOT_MAPPED" | |
| $a44 = "STATUS_OPLOCK_BREAK_IN_PROGRESS" | |
| $a45 = "STATUS_VOLUME_MOUNTED" | |
| $a46 = "STATUS_RXACT_COMMITTED" | |
| $a47 = "STATUS_NOTIFY_CLEANUP" | |
| $a48 = "STATUS_NOTIFY_ENUM_DIR" | |
| $a49 = "STATUS_NO_QUOTAS_FOR_ACCOUNT" | |
| $a50 = "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" | |
| $a51 = "STATUS_PAGE_FAULT_TRANSITION" | |
| $a52 = "STATUS_PAGE_FAULT_DEMAND_ZERO" | |
| $a53 = "STATUS_PAGE_FAULT_COPY_ON_WRITE" | |
| $a54 = "STATUS_PAGE_FAULT_GUARD_PAGE" | |
| $a55 = "STATUS_PAGE_FAULT_PAGING_FILE" | |
| $a56 = "STATUS_CACHE_PAGE_LOCKED" | |
| $a57 = "STATUS_CRASH_DUMP" | |
| $a58 = "STATUS_BUFFER_ALL_ZEROS" | |
| $a59 = "STATUS_REPARSE_OBJECT" | |
| $a60 = "STATUS_RESOURCE_REQUIREMENTS_CHANGED" | |
| $a61 = "STATUS_TRANSLATION_COMPLETE" | |
| $a62 = "STATUS_DS_MEMBERSHIP_EVALUATED_LOCALLY" | |
| $a63 = "DBG_EXCEPTION_HANDLED" | |
| $a64 = "DBG_CONTINUE" | |
| $a65 = "STATUS_OBJECT_NAME_EXISTS" | |
| $a66 = "STATUS_THREAD_WAS_SUSPENDED" | |
| $a67 = "STATUS_WORKING_SET_LIMIT_RANGE" | |
| $a68 = "STATUS_IMAGE_NOT_AT_BASE" | |
| $a69 = "STATUS_RXACT_STATE_CREATED" | |
| $a70 = "STATUS_SEGMENT_NOTIFICATION" | |
| $a71 = "STATUS_LOCAL_USER_SESSION_KEY" | |
| $a72 = "STATUS_BAD_CURRENT_DIRECTORY" | |
| $a73 = "STATUS_SERIAL_MORE_WRITES" | |
| $a74 = "STATUS_REGISTRY_RECOVERED" | |
| $a75 = "STATUS_FT_READ_RECOVERY_FROM_BACKUP" | |
| $a76 = "STATUS_FT_WRITE_RECOVERY" | |
| $a77 = "STATUS_SERIAL_COUNTER_TIMEOUT" | |
| $a78 = "STATUS_NULL_LM_PASSWORD" | |
| $a79 = "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" | |
| $a80 = "STATUS_RECEIVE_PARTIAL" | |
| $a81 = "STATUS_RECEIVE_EXPEDITED" | |
| $a82 = "STATUS_RECEIVE_PARTIAL_EXPEDITED" | |
| $a83 = "STATUS_EVENT_DONE" | |
| $a84 = "STATUS_EVENT_PENDING" | |
| $a85 = "STATUS_CHECKING_FILE_SYSTEM" | |
| $a86 = "STATUS_FATAL_APP_EXIT" | |
| $a87 = "STATUS_PREDEFINED_HANDLE" | |
| $a88 = "STATUS_WAS_UNLOCKED" | |
| $a89 = "STATUS_SERVICE_NOTIFICATION |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment